Analysis Overview
Threat Level: Known bad
The file https://u.to/Hw4kGw was found to be: Known bad.
Malicious Activity Summary
Modifies system executable filetype association
Registers COM server for autorun
Echelon
Echelon log file
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer Phishing Filter
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-13 17:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-13 17:10
Reported
2021-03-13 17:13
Platform
win10v20201028
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Echelon
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
Registers COM server for autorun
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\uninstall.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.13043\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\joined.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\joined.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.20237\Client.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\WinRAR\WinRAR.exe |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = de4ef1e88fadd601 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "322468790" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "321817154" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "746" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007880b65022678142b61622584bfd6ca8000000000200000000001066000000010000200000004f18a1cd9006339b05af773a37cadd12e43fdb903226e409bbaf95733ffb814d000000000e80000000020000200000000b01dac1ed2d7afc3eb6132d31f07cdd339ec40ac6746e03d59acaf521d179c3200000007e2269c5d29a0f7f627697351200cc4617d508b4f1230b39b2e15de0986009d040000000d80deefcbe4c633c029d81f06c797d345f315c0ac5eea287be19b9d2e08f0c4a39e80a72774fa469a8650fb4d669ffb38b49399bddb933da8a5742fb05fe72bf | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d517652b18d701 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "322420204" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "76" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "123" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1619383314" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "713" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "48" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "76" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a1e25e2b18d701 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30873643" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007880b65022678142b61622584bfd6ca80000000002000000000010660000000100002000000080274934fd400b338d9b0878be82df175527707e898e0c56b85228fe851bb81d000000000e8000000002000020000000e759110629cf42014b44038bf7a0563f6c705483f1da1e7b9cd77e3038882352f0000000df05126e645932c8d60307afdfc4e06f5da8361e0ea2283788558dbf6a19d90e463cdbbf8d539cdf5b84120fddaee1e46178d52287346cb59555f3fef9622f6a6602e916bd1744900bba7b10a73122e1465de7a295e2f952620da9ceca9ad507fd177b2d40d2799e5a83d9229aece1c7a15a27cd78909b0687bd5df96e21f32737656111c1ca2cbfafe13f10b97e84d4ab945f9de6cfae7224edc95073fc0efc1e9133def202a29e860f1ad17726e5fb821751359a2a04aca9edfb00f1c15103156ea0e3a6d9c530a4e3cbc01ba9c3379f4844788688bea54f01b4aefb12b222b055ad5bb656f2eacb6c14d0a71f59b840000000b7804dce53b5c86263679b84e4cdf51f632780385043f6af598eeec28b6a1831a1ace373c6db7cf12b1321f86054faf7d2f2e33ef8f2858c9513e3bd2cb6433e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007880b65022678142b61622584bfd6ca800000000020000000000106600000001000020000000f027ae5192b0189dc2a7f2b2be682d77292ea2ae2ca8c156f63acc83a20edec7000000000e800000000200002000000020fe61377ab03b9b416e04fcb542230a3beb0a5620f155cdf78b171cfe4878e620000000eca502232afc37fd46de36b905715deb5b988ac83f0698c989278faeadf5708d4000000008058e17e56d9354986c18a700f835c7f1d017fa54398c04b75a2ec32e735a4c0276f32eea3612158453e07ee00679017f122368b46ce4f1b7396f95d42e55ac | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B2CCCA3-841E-11EB-BEBD-F648E9E4AC23} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "713" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "91" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "91" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "123" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{3DE88C70-9384-4E36-BF9B-83DA7E6B0D1D}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007880b65022678142b61622584bfd6ca8000000000200000000001066000000010000200000000ae6759250988a849af2dcce516b17c870a7867daf2d58ffdd6c6e3b37c78151000000000e800000000200002000000085037bd89573412a42bff2c42d1537d58cd7a50c9f3b78f9c4e8bcd9f63e60242000000031561a3fd1d979d2e758224f2c6dd6f5d0f001e545d6c10a3f43a909756908f04000000062bcc8fb8cff5d4c9de7e19cbc44423f6148a28502b6b935296bf2fb7ea16b1e68f0670e5254ca7238c86b68db067a188dff37ba850fc87251bbba4aaad554be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30873643" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\ = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\Total = "76" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "713" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1606325625" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007880b65022678142b61622584bfd6ca8000000000200000000001066000000010000200000007434c5d1029b1bba9c9d736c5d8b43c536a7a9e899ef8b272e6b87d09de013be000000000e8000000002000020000000280ff733c431e93b9254362b3bffae371902ef49df1c83379b694d49f466bd5fd001000098a8f6db07b270693569a579baec3e279f3c0f469994cff92d762d04c38dff07fbeb224c2a58a33e352b17bae9f5ed551c2e5e6b271b36e181bbe6cc34cbd8c482d546bc0ec67a2d2c2f8daca08004f54d1e6c73aabae4f5c57f4bb64d220fd235ca7a2793a840c4b863c0a3a8b94ca5f4c767c06f6fd5fdf689f723f85d8380b30c1997fcabd7164ef77255a1110c39e582e6a05303b9be13cd1fc9396e0e50e7f2619bff73377039fcdd196f3c399bcd9f89aacd0f8a2911496cd69e32c974c48891471e2844825c350624a800564da686b037bf84da970934154ac532abc8605fddf633d8ba9c621a6cddadc50304f23e3f10c69cf2b3169a0867025aa0b036cfa0d15c653c525b59f3d424dc8b00d262f1a5013fdbde7f4003795a89b9c61429626df73d80e898c82e7f3facdfe81183f0e308e06231b74b2cbd4bd07cdee845e28a990cc0086eec8ce8ad592b9ecbe4d79b79f82c7910eb5209213847a512c5b1d7f1878b9e54d8682f6208836a440da01c8bb7bcd931ea14ad2bca7bd4d7141a998aef238d9f3b8964804b6aeb1a8bd1e16d0a196afc96230e1d80094e3cfca1854ab780be12b08a620e3f2ed9177187fcd6540656be1db5cf59f3f58289d31c403b524ae76fb403f61afe67f1400000002c7840bbc2e68b8a7adfeb66d56aae7fa689dbcb273c4653a12654782f816c514acc26f90ee518b727c976c4dfbc61c488c900c969bebf5fb26ee3f2e8ee9615 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\u.to\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.z | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r11 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r29 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" | C:\Program Files\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" | C:\Program Files\WinRAR\uninstall.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\EWYCRADZ\root\CIMV2 | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\start.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\uninstall.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
| N/A | N/A | C:\Program Files\WinRAR\WinRAR.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://u.to/Hw4kGw
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:82945 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe"
C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3208 -s 3136
C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\crypter.rar"
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.13043\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.13043\Client.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
C:\Users\Admin\AppData\Local\Temp\joined.sfx.exe
joined.sfx.exe -pHFESDEHJU55553JHNFRE -dC:\Users\Admin\AppData\Local\Temp
C:\Users\Admin\AppData\Local\Temp\joined.exe
"C:\Users\Admin\AppData\Local\Temp\joined.exe"
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe
"C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 820
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.20237\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.20237\Client.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | go.microsoft.com | udp |
| N/A | 8.8.8.8:53 | u.to | udp |
| N/A | 195.216.243.155:443 | u.to | tcp |
| N/A | 195.216.243.155:443 | u.to | tcp |
| N/A | 8.8.8.8:53 | counter.yadro.ru | udp |
| N/A | 88.212.201.210:443 | counter.yadro.ru | tcp |
| N/A | 88.212.201.210:443 | counter.yadro.ru | tcp |
| N/A | 8.8.8.8:53 | mc.yandex.ru | udp |
| N/A | 93.158.134.119:443 | mc.yandex.ru | tcp |
| N/A | 93.158.134.119:443 | mc.yandex.ru | tcp |
| N/A | 8.8.8.8:53 | crl.identrust.com | udp |
| N/A | 95.100.96.201:80 | crl.identrust.com | tcp |
| N/A | 8.8.8.8:53 | yandex.ocsp-responder.com | udp |
| N/A | 5.45.205.242:80 | yandex.ocsp-responder.com | tcp |
| N/A | 195.216.243.155:443 | u.to | tcp |
| N/A | 195.216.243.155:443 | u.to | tcp |
| N/A | 8.8.8.8:53 | drive.google.com | udp |
| N/A | 142.250.179.142:443 | drive.google.com | tcp |
| N/A | 142.250.179.142:443 | drive.google.com | tcp |
| N/A | 8.8.8.8:53 | doc-0g-as-docs.googleusercontent.com | udp |
| N/A | 142.250.179.161:443 | doc-0g-as-docs.googleusercontent.com | tcp |
| N/A | 142.250.179.161:443 | doc-0g-as-docs.googleusercontent.com | tcp |
| N/A | 8.8.8.8:53 | api.bing.com | udp |
| N/A | 8.8.8.8:53 | www.bing.com | udp |
| N/A | 13.107.5.80:80 | api.bing.com | tcp |
| N/A | 13.107.5.80:80 | api.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 204.79.197.200:80 | www.bing.com | tcp |
| N/A | 8.8.8.8:53 | login.microsoftonline.com | udp |
| N/A | 20.190.159.136:443 | login.microsoftonline.com | tcp |
| N/A | 20.190.159.136:443 | login.microsoftonline.com | tcp |
| N/A | 8.8.8.8:53 | a4.bing.com | udp |
| N/A | 95.101.78.168:80 | a4.bing.com | tcp |
| N/A | 95.101.78.168:80 | a4.bing.com | tcp |
| N/A | 95.101.78.168:80 | a4.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:53 | 576b9096de7ef529c0c50177d6cbd17a.clo.footprintdns.com | udp |
| N/A | 20.188.40.49:80 | 576b9096de7ef529c0c50177d6cbd17a.clo.footprintdns.com | tcp |
| N/A | 20.188.40.49:80 | 576b9096de7ef529c0c50177d6cbd17a.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | iecvlist.microsoft.com | udp |
| N/A | 152.199.19.161:443 | iecvlist.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | 617b6eabbfae4b6d6b8ee126714480cd.clo.footprintdns.com | udp |
| N/A | 51.137.102.183:80 | 617b6eabbfae4b6d6b8ee126714480cd.clo.footprintdns.com | tcp |
| N/A | 51.137.102.183:80 | 617b6eabbfae4b6d6b8ee126714480cd.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | 12f5e87b79f1c884fa53f977218008e0.clo.footprintdns.com | udp |
| N/A | 23.101.24.81:80 | 12f5e87b79f1c884fa53f977218008e0.clo.footprintdns.com | tcp |
| N/A | 23.101.24.81:80 | 12f5e87b79f1c884fa53f977218008e0.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | www.nchsoftware.com | udp |
| N/A | 66.39.83.155:443 | www.nchsoftware.com | tcp |
| N/A | 66.39.83.155:443 | www.nchsoftware.com | tcp |
| N/A | 8.8.8.8:53 | www2.bing.com | udp |
| N/A | 204.79.197.200:80 | www2.bing.com | tcp |
| N/A | 204.79.197.200:80 | www2.bing.com | tcp |
| N/A | 8.8.8.8:53 | fp.msedge.net | udp |
| N/A | 204.79.197.222:80 | fp.msedge.net | tcp |
| N/A | 204.79.197.222:80 | fp.msedge.net | tcp |
| N/A | 8.8.8.8:53 | www.google-analytics.com | udp |
| N/A | 172.217.168.238:443 | www.google-analytics.com | tcp |
| N/A | 172.217.168.238:443 | www.google-analytics.com | tcp |
| N/A | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| N/A | 142.250.179.130:443 | googleads.g.doubleclick.net | tcp |
| N/A | 152.199.19.161:443 | iecvlist.microsoft.com | tcp |
| N/A | 142.250.179.130:443 | googleads.g.doubleclick.net | tcp |
| N/A | 66.39.83.155:443 | www.nchsoftware.com | tcp |
| N/A | 66.39.83.155:443 | www.nchsoftware.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 31.13.64.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | secure.nch.com.au | udp |
| N/A | 31.13.64.35:443 | www.facebook.com | tcp |
| N/A | 192.249.118.22:443 | secure.nch.com.au | tcp |
| N/A | 192.249.118.22:443 | secure.nch.com.au | tcp |
| N/A | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| N/A | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| N/A | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| N/A | 8.8.8.8:53 | 894b484add2b237b10e82053cd749359.clo.footprintdns.com | udp |
| N/A | 204.79.197.222:80 | 894b484add2b237b10e82053cd749359.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | d5786de9967c61fe7cc1235d1d0ae492.clo.footprintdns.com | udp |
| N/A | 51.116.215.244:80 | d5786de9967c61fe7cc1235d1d0ae492.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | d717f933c25d8df36a2c30b910632b19.clo.footprintdns.com | udp |
| N/A | 13.107.6.163:80 | d717f933c25d8df36a2c30b910632b19.clo.footprintdns.com | tcp |
| N/A | 8.8.8.8:53 | www.rarlab.com | udp |
| N/A | 51.195.68.162:443 | www.rarlab.com | tcp |
| N/A | 51.195.68.162:443 | www.rarlab.com | tcp |
| N/A | 8.8.8.8:53 | r3.o.lencr.org | udp |
| N/A | 95.100.96.192:80 | r3.o.lencr.org | tcp |
| N/A | 51.195.68.162:443 | www.rarlab.com | tcp |
| N/A | 51.195.68.162:443 | www.rarlab.com | tcp |
| N/A | 8.8.8.8:53 | notifier.rarlab.com | udp |
| N/A | 51.195.68.172:80 | notifier.rarlab.com | tcp |
| N/A | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| N/A | 95.100.96.192:80 | r3.o.lencr.org | tcp |
| N/A | 51.195.68.172:443 | notifier.rarlab.com | tcp |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
| N/A | 8.8.8.8:53 | ieonline.microsoft.com | udp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | go.microsoft.com | udp |
| N/A | 104.73.144.113:443 | go.microsoft.com | tcp |
| N/A | 104.73.144.113:443 | go.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.48.44:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| N/A | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | gfs270n079.userstorage.mega.co.nz | udp |
| N/A | 89.44.168.220:80 | gfs270n079.userstorage.mega.co.nz | tcp |
| N/A | 8.8.8.8:53 | www.msftconnecttest.com | udp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/3788-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KFO6F1RZ.cookie
| MD5 | 04dbb53da8c6278ebddab0fbcbd4c9cc |
| SHA1 | 0a309f94f5fb78b1a0d44c5d1777a6381b9908bc |
| SHA256 | 65d8904e0f4444fefc50e05af6eed5a6cd72bd4eb7e9924595be12c0512174c0 |
| SHA512 | 7d0ad55819d553be9ed51b1a801582f50e2f3300f28b3424aaa3206244ab0f6f4489fbc6e3a10e50732520f6312accf84ca1a015d282a483b63c537abbd4099d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | 60aedb149c4fd2ca05fd72329d22f12d |
| SHA1 | cdfb38c49376f2cbdd9bf423538196926aa2b69f |
| SHA256 | 7c682eb1e4bcbf98712f34147bf0ae92bebd31db34a51b444d3367f01b3800fc |
| SHA512 | 531507dbc892c576c5fd2d56b806042a3690d8b79907f61a0d96318c25905b238ab64e13ef2ecb01aeb6fcc95e530d91eeb5898a4f944a2b2f864d23cf8528cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
| MD5 | 98396f2cca8434675361f36be9ff2008 |
| SHA1 | 7a5cc162a5862420ce5846d0fe6c0f1d7d8345e7 |
| SHA256 | 18f122b0c6c2657fe6046b4fb1881b234a04429ceb5e9dcee1ec92b23fb256e7 |
| SHA512 | 59eb74ac0cabf81c0cdfa273334c5e30826ef7a46c5472fd59569edad68532b45579aed4b6354f40d1fd0ade559bb7fd74bbb472eff92f710c30bad300372e55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 028e18543f44db360d2f7031abb31bbe |
| SHA1 | 757e0f70b095037d23c472dfe7ac013ccc3ff0f6 |
| SHA256 | bdc6cef64ce1903cb883fb825aa6e1d04919941e963ea95a59a35f8e876dfcc9 |
| SHA512 | ce870c2eb2aa505e98f855368a572e965925932a28eef9d705c65260df6c4d4e8a240848b730008e5cae2698b3397277a439c12dcf51d72ebbec5e1b30bd14b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 081901ea5183a90304ae30559081b6d9 |
| SHA1 | 7d72334030db1b2380fbf0e7b9f0b15c70053471 |
| SHA256 | cfcaf61ed747f34891472b060c1443db441b83201cf8e891c0fcce7db2088bc2 |
| SHA512 | 43972446ee6fdfb78c2d5a2276fe7d700329b3b405f7e99437adf3ba9aad5c6662ab23e8efa9305c2c957e7fb49ddc9aa3fb7e8a7b7e9fc24a4921106aa4e832 |
C:\Users\Admin\Downloads\crypter.rar.pdvu9kg.partial
| MD5 | fbcc9d05924b27b636374922904ae6f3 |
| SHA1 | 2fd18b61fbf69c702a2c2b97c7a34032f736457e |
| SHA256 | ee1750bf6bc3f63ba01c8c0ebb669c92633cefd37c9621e74fe32551934dffa8 |
| SHA512 | ce8ac8bef0b38d73ef42294435165896c900223219fcebd3246a8801713c30975f80cfa2d9a892568062946908c86562c004a041db6b95d9730a98f679e2aaed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CDZ9GZUE.cookie
| MD5 | a10de7d469fadb9a2bcccbc023ea851f |
| SHA1 | 01b5a7ad48e50144586c5f0919aa2f9be46d4adc |
| SHA256 | 53290da3cc179b5aaf37e2710f748a05107dadfd49ce3ff98eb88e538b33bf23 |
| SHA512 | 4d7394cd9c695b3050718f5d39ca90b47657a2f31d4aa407f27d7c3e0b607ea9a5f2fadabf549fde733a5ff940de98ffebee376050cc9ae5f9d142575bf71921 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EZXWSR65.cookie
| MD5 | c473b64120ac4e8418bd08adb33ec2d1 |
| SHA1 | 8a873cf813f0db505cbbc8e00bb6301a43171425 |
| SHA256 | c7fa42169f4ed4569d7fbd45e37eb307da39e437737be5924d73723e28936a86 |
| SHA512 | 2922a221309916251d42164929360d32b8592a1223a3814316d81a92e6f07ad5babc7edfc132b57ddd8bafc986e2c489969daa5902cadd07c968824972057459 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 97c3452d30e30fa651c4b2886a4cc626 |
| SHA1 | a4fce689ddee7e0e8028029f04b554d3d6833c40 |
| SHA256 | a5d996c2e82373bae0067dfda761706be6dbf7498fa6594937e948ea2023e155 |
| SHA512 | be6e975f32d94934b9bd2ff1b6211d78c050ee54ea968263ffd92f1cffd159ac38be87a0e7a9bcb7add827738a54a9212fea9f5026372d453f1e251f5e1ff2e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | c9b109d73edeb79d27680d1d2ccc5f4b |
| SHA1 | 0e98ce82a8a2385a1a68372867f537eb24026c2f |
| SHA256 | 9f0c34e0183242e9749f3360868b04f20baad2d72217a2f385d32fcb847dc81d |
| SHA512 | 7030061abed15c365659579eb8138cfa8925637feea6a42cb6b40dbb2d6295a54478943c6961448493b112d4eaf0e12b9cb76fd9f35ded4fabe59a7f3741f3af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GD6UNREQ.cookie
| MD5 | a928d5e2e9201778166db8c27f2b21dc |
| SHA1 | 3dc24c070e743d24c27b569b25b1e53be5267fde |
| SHA256 | aeaa0766bcced2e9201d30e981a3268f5914650a6a3427b2b56f60532fcda2e2 |
| SHA512 | 0a8bdbaf6e680fab427d77709201b7a692a19fa7d5051881f98272fb7acc67106af6883a210db4e630a7d17df746277bb9dcdd7a67c5d1bf25e31eb2600c333d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\28C2D71AB2CF1FC7280B1C2DD5586DF9_97E2514A429C902AC85F76FE6E9456B4
| MD5 | 26fc7e75c98b16d870612d11b3929020 |
| SHA1 | 85df6c9956a19087a4f8d8d8075fb93ef6ee8188 |
| SHA256 | 2b79ea88ce5eb067e53f47de5c6f0a4f67ca7cd1533cf5187441ac759345e6ac |
| SHA512 | 0bae06df304ddb3abcad1459b08b75265036926782a02c1c2277cbd595e3df006e243d126bc984e6b9169a8088571269ce65f63fc5438e07f20979bb9907f233 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_C86B7000B5CEB7F9146D51D7AB048AFE
| MD5 | 0ff230b5ecc40b7e7041b77177004fa4 |
| SHA1 | efa07bc85877c298962e1dda48b1ee3f8cb8ca5f |
| SHA256 | a87b11cf54220cbcfa4c4321d6aa7ad3caf881463a0eebe879bd2853ba0ab67c |
| SHA512 | b8dde6cba146c977fe1dde1fc2ffadf5980be646e04cfaa453dbf4ebf0126969cdd860ebead5699fb0d3456ee9c0595d8e9e0d5e5be02492cdbb2e0dc8f59bf0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\28C2D71AB2CF1FC7280B1C2DD5586DF9_97E2514A429C902AC85F76FE6E9456B4
| MD5 | 641f8b63be1de553410861529b31939c |
| SHA1 | d3a244b48c01a87bcdc5ef28fdf92a2b18c34039 |
| SHA256 | 92788c70476626a498eea17fc5d53fee644abd231aa029b5a84876b51c575d8d |
| SHA512 | b41dd62c669616f6f966084756942f462f0e92269d209d0dfaac650ce74d6cb4d86f291ec25f552139c2a6a2edb817e2c27688906310cd56ffea2e90d40fdcdc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_C86B7000B5CEB7F9146D51D7AB048AFE
| MD5 | a035109d7e0e4c8982490f8319052368 |
| SHA1 | 8c1a67eb79fe5d0d67349cf615e4c62745c812cb |
| SHA256 | ae6025c868f0c360dccd80853d52c095109a9cf7f6aff0d71a322f4467a11bb1 |
| SHA512 | ed1062f4bc6e40259cafe0d472b5f9553a554fa9b6869d560dccc3775ff181044e9dab0c0b47374aef44d3fb36886e8263b70edddbe0e13ab7f68e09cf6cc232 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UTDWWNTV.cookie
| MD5 | 2ef3b95f4ec06d615f66cc707ff3b0be |
| SHA1 | ad48bc6d4bb7e197eb1845dd156c0e7a95b447ce |
| SHA256 | 59333ca01f23e6fcdb0f73a3a2514bc6da1d996c4271bd7b8b36ca6402c77382 |
| SHA512 | ac84c524f1b8b55c213d64825d4e22860f068ba3bf8a6f6a7e20e0f64685c089e15222903bcbe50b3bb7760dbe71b2fb3918780fd839ef7307bcd334740ea309 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
| MD5 | 50d07e64e3238da3764e519781a4c457 |
| SHA1 | df7812d8516572253185a1a09440450a7719ec1d |
| SHA256 | 2d6e623cbde0b5632db298f854119721d4974159da4125481674bfb41c61688e |
| SHA512 | 7628988e2822282b47c3796238bd87aac5b73e596fa4b5bfa57746890bc2cddc0e0fb445ddc27b1431c029bcd5d1787f64adb7f777583e7d097a8095832ceb48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
| MD5 | e8a995ba2d86ebe88e0e3047171d2b85 |
| SHA1 | 8ebab3891a6e5990c695d1cd42bf67c60d6d6c73 |
| SHA256 | 7836040b21a8bf79debfa60350d1e2f8eb5e3b0f1e395b72a36d578216d398c0 |
| SHA512 | 949a0dfc6733b25d50ce550dc8da39b0c49b8b5bd542daf75223045d35d1113ce5aba051be59c36da52a49c86dcd7e42bd545571916f3e1829edeb75a42a3dcc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DE675DC813A44A64CA79EC9C4AE024E
| MD5 | 3f50bad3f290fcdc7178c59dea85974e |
| SHA1 | c1c5ad6c28ea729047c3b6e612f7f7eed7df92d6 |
| SHA256 | 602c0af4507e8d89f9088db37f5558a7c528fabee17372759a7f99abef169a6f |
| SHA512 | 795d403b0beacf7ad4095b1db6020b0fe29ae96c255287d8688e4210ef0c6cfb5520d7861ed0819d9bfdc9732fc129a8a52b86b26a405563112b1aaa7681c3b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DE675DC813A44A64CA79EC9C4AE024E
| MD5 | 43a4b4f2c17a20c8c15ee73e109c1abb |
| SHA1 | ae12c2e2a3cd20f7cbf5cdc6c5615a66f958fb66 |
| SHA256 | ca68208b33a47e923613facd7247c0fb86af149f2c6d43dc4da855c59941546a |
| SHA512 | c5bc6f7d3c6ab9b8f792e546e548def069135d5b93f58b203e6aa5bb12866a2c8b671121ecfc68a1658522d3877d79bc3df990bbfdf177167be9b6d9dd478d8b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe.z9brjr1.partial
| MD5 | a8d00bb58006d14c0cc7d5cd5cc63d42 |
| SHA1 | 13efe89020aa7affafcdd0ca903404aa8c927744 |
| SHA256 | 88822d135e90ec499fd6a86bda22f5b183167abf5e2f08da763269142b9f816d |
| SHA512 | 800f777e101306e96a4dc243196a02318e1d18edbc9e2e99f9982d6980e4819c090e70fef0308f2428dffbffd353d8d4e9d77552b64b7330d4794f8a5127b00f |
memory/4644-24-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PZ2C2W1\winrar-x64-601b1.exe
| MD5 | a8d00bb58006d14c0cc7d5cd5cc63d42 |
| SHA1 | 13efe89020aa7affafcdd0ca903404aa8c927744 |
| SHA256 | 88822d135e90ec499fd6a86bda22f5b183167abf5e2f08da763269142b9f816d |
| SHA512 | 800f777e101306e96a4dc243196a02318e1d18edbc9e2e99f9982d6980e4819c090e70fef0308f2428dffbffd353d8d4e9d77552b64b7330d4794f8a5127b00f |
memory/196-27-0x0000000000000000-mapping.dmp
C:\Program Files\WinRAR\Uninstall.exe
| MD5 | 206b2d474a4eba9fef6f2129c61ea541 |
| SHA1 | 7710bb0976ebea016e71b959d67a325ab7ce1173 |
| SHA256 | 7d88663517052618352c9a81d7a27e34dac49a03788816b76876cec1d7f1a69b |
| SHA512 | 11b94df0e95ab1903afec382ad7dece0cdc9ba9d877d68965179ea93e9917d2bfda2ac31ec2e9f7279e38134115d44134bf1e28babd535832063afdc044221ca |
C:\Program Files\WinRAR\uninstall.exe
| MD5 | 206b2d474a4eba9fef6f2129c61ea541 |
| SHA1 | 7710bb0976ebea016e71b959d67a325ab7ce1173 |
| SHA256 | 7d88663517052618352c9a81d7a27e34dac49a03788816b76876cec1d7f1a69b |
| SHA512 | 11b94df0e95ab1903afec382ad7dece0cdc9ba9d877d68965179ea93e9917d2bfda2ac31ec2e9f7279e38134115d44134bf1e28babd535832063afdc044221ca |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | 64c882cc5b64f0d324832706945eda4f |
| SHA1 | 5f21161e6a5391162bf315bce05b567d38fc4de7 |
| SHA256 | d4f7ec91751c877e384c71865686b8a32225e0633aa67a77fb3fc647075007a0 |
| SHA512 | f38fde681cb4d3c7c01fab8006d96bac51a84653f8a05152d53666bf059a76fc791ed4df466f4071a01f57f90b7469df6b84296104982745d3bcfec1cbdb3daf |
C:\Program Files\WinRAR\Rar.txt
| MD5 | fc96c74be0cee755d9b3e2ff42afdcc4 |
| SHA1 | e18507f16d55aeda8e9e6772f079e96b78e356a1 |
| SHA256 | 04a0e8d53a30e8d889cea6777d51628c844ce993745752bd28f7e64e76be849a |
| SHA512 | ef53ef0ec9b382957c5d5a7babb925cdcf766460fc5720b4f60d983088d71d608521798f43e020d1d8079f9f1747e44f8f3fce222ebc82a2ed1b44fb647f5b76 |
C:\Program Files\WinRAR\WinRAR.chm
| MD5 | 8203dae631ce41e9522f546127fbc3cd |
| SHA1 | d727dccf8a0ec026919e6ab787f33c0bfde99650 |
| SHA256 | 4df5428cf1805a2ab386891eef6090f89c336d9d1729339f0cfe8602eb061d7b |
| SHA512 | 80db858fa5283416089aeac7b08f7bbffd3948adaefaf38061a342414084f0a1d3cddaf60def928bacb44598e0346255b1fada4420dd2a971b5de17fd4b5bb4f |
C:\Program Files\WinRAR\WhatsNew.txt
| MD5 | c19b52a28e71e8309e40604d87f22cfa |
| SHA1 | f6565fda040e8de8aed756d4e0a9a211f9fdd1d4 |
| SHA256 | 88adbdf5f7edb258fc119c18671e62fbba6ffdf22cb27be3589798a22f2aa475 |
| SHA512 | 632cc4937300c943241b2706e7cff79a862df8bc3a74b599608a03d0a998c124c0f2dd4d46472dc54c2490b1a1ce813ec8f5fe6f6efa8a0a6c3660cb70f0e34c |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | 64c882cc5b64f0d324832706945eda4f |
| SHA1 | 5f21161e6a5391162bf315bce05b567d38fc4de7 |
| SHA256 | d4f7ec91751c877e384c71865686b8a32225e0633aa67a77fb3fc647075007a0 |
| SHA512 | f38fde681cb4d3c7c01fab8006d96bac51a84653f8a05152d53666bf059a76fc791ed4df466f4071a01f57f90b7469df6b84296104982745d3bcfec1cbdb3daf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\analytics[1].js
| MD5 | 6a10eb2bb5c90414980729f4f96ffbda |
| SHA1 | 8bbbd5948255549e4b691b614aa3177dea9af1b7 |
| SHA256 | 0f3be44690ae9914ae3e47b7752e1bdea316f09938e9094f99e0de19ccd8987a |
| SHA512 | 5a505cbaaeeab8961aa0de94767f76a09b6f03e60eb0c72954b85ec0392ee1ce383d2088939a314d3175ab24b7a69390c841cfe0237c1d1c40966b43f22ae929 |
memory/720-37-0x000001E422980000-0x000001E422981000-memory.dmp
memory/720-36-0x000001E422980000-0x000001E422981000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
| MD5 | 7f87bcc3b5d92e3f3bab59ce624e9417 |
| SHA1 | 9a7a243678f15bc7429a9227c52ebd040cd0465f |
| SHA256 | 168c2677386bedf2aa58a7c9c1495b4f00aafb6feacd287500c184f956c8870a |
| SHA512 | 31eb469d2055cfc8884ff85289ddcfa647f26f820a1dc9a089b15863e27859cfdcd70bd4a25dba52cc08273547f1e58685bf6fac4bc856609354dc031d834d62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
| MD5 | 8c7f26bd077c23c130f2d8beeceec0ae |
| SHA1 | a2749d0844cb4537df16cf57e7e6c0f65be6a4ab |
| SHA256 | 55a1ffc37e317ba7c1388950915479291b11b0da5a61ca78e159c4d009ef47a0 |
| SHA512 | 13fc16cd41faef4846fb58b6c49906c4e0fab0013ec43eb78a4b67ea56a2098508e3903a5cfefb89b36c88dfe7d8453908795014db778998983830fc2ae6dfc7 |
C:\Program Files\WinRAR\WinRAR.exe
| MD5 | 64c882cc5b64f0d324832706945eda4f |
| SHA1 | 5f21161e6a5391162bf315bce05b567d38fc4de7 |
| SHA256 | d4f7ec91751c877e384c71865686b8a32225e0633aa67a77fb3fc647075007a0 |
| SHA512 | f38fde681cb4d3c7c01fab8006d96bac51a84653f8a05152d53666bf059a76fc791ed4df466f4071a01f57f90b7469df6b84296104982745d3bcfec1cbdb3daf |
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
| MD5 | a84d49db1cf8d7f917d5499e03e542a4 |
| SHA1 | 0c52f4a6457bc58c70ed629aeaddd3d883f588ec |
| SHA256 | 48915764ae1f11e1d6b64ce989d6e0295a7dc9d523ff5474ebd62d75c1c15e20 |
| SHA512 | 206d58a287b687e2f44740ac079b5a681cbae7c2e684e8e4e0fe8fdc595cb832ed443800ea9721cda4434cb060fed8717d6a76f8de1add95d65e6c42eb18505d |
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.13043\Client.exe
| MD5 | 1e27784b282dc08e23938736dc2d85ba |
| SHA1 | a5f3d280106cbd0679b315ee8c77d7919cb4163e |
| SHA256 | c5ec33ac618f50209f3a17b8be5cf4af65283e5dbcfb2ffb8634626b113d1853 |
| SHA512 | 5c18c26d44103c9ad02910f212389d15c91edd86f7bf51d87d8323231f16134aabd9ec5c481c864aedbad848eb52dea1ff5c1e20f02441474eb843122ff46022 |
memory/2448-43-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.13043\Client.exe
| MD5 | 1e27784b282dc08e23938736dc2d85ba |
| SHA1 | a5f3d280106cbd0679b315ee8c77d7919cb4163e |
| SHA256 | c5ec33ac618f50209f3a17b8be5cf4af65283e5dbcfb2ffb8634626b113d1853 |
| SHA512 | 5c18c26d44103c9ad02910f212389d15c91edd86f7bf51d87d8323231f16134aabd9ec5c481c864aedbad848eb52dea1ff5c1e20f02441474eb843122ff46022 |
memory/4740-46-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
| MD5 | dc06d3c7415f4f6b05272426a63e9fd1 |
| SHA1 | 2a148ec726cde2a19222c03ebf2cf48e8a5c171f |
| SHA256 | 101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093 |
| SHA512 | d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a |
memory/2588-48-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bat.bat
| MD5 | 0e850c29ab63a27d92a9664aef05b1b8 |
| SHA1 | 349f105bf77e7a7efa8355870bf7aaa082f7b961 |
| SHA256 | 3e23197c9a3244d8a1c05b0e9e1e245bca6a5c96252f8b762b0045573c8dd137 |
| SHA512 | 2689eb1f0501f9873766657f3115853a2b351e1566f9f60d7cfe009f7504661085d58e7e1511593da8770e054afbfc40be0cdf0bd2307af9a5017bf460fecfa9 |
memory/4692-50-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\joined.sfx.exe
| MD5 | 9de7a0c4723ff8f47c4b13fdd098e84b |
| SHA1 | 36347e4c8e0371d616c39bd5260ee33ef6b9f2f2 |
| SHA256 | d9b34a3fe51bfb590324b9a2b7e1cd813d5e340f8657270df2a9ad7c4e98510a |
| SHA512 | 9bd9919a3ccfd3ac4b881d8d2c26f8765a1b445092497de6c388fdc7fe4f927b078127f81abbe650b4394cacd6085ec11c57220519c0fe4025e4ebf02922d649 |
C:\Users\Admin\AppData\Local\Temp\joined.sfx.exe
| MD5 | 9de7a0c4723ff8f47c4b13fdd098e84b |
| SHA1 | 36347e4c8e0371d616c39bd5260ee33ef6b9f2f2 |
| SHA256 | d9b34a3fe51bfb590324b9a2b7e1cd813d5e340f8657270df2a9ad7c4e98510a |
| SHA512 | 9bd9919a3ccfd3ac4b881d8d2c26f8765a1b445092497de6c388fdc7fe4f927b078127f81abbe650b4394cacd6085ec11c57220519c0fe4025e4ebf02922d649 |
C:\Users\Admin\AppData\Local\Temp\joined.exe
| MD5 | f761c20a93ab7c2f4269bec3abe93e6c |
| SHA1 | 7d7c4cae8adc22d160367030dc2844d99ffe8a94 |
| SHA256 | 6d636eb6d5749ee6375a7f9a1cb1ea7a249d67a75186f3eb9d3c18d8c1a92698 |
| SHA512 | a33c3db3ae1cb8792c56971550aa40d1d626aaa8c3a4972d7045a8dad033dd322e12441e3b4c708212bdfbf849c3e430e4647bb63cb26657b7d68be27f504fce |
C:\Users\Admin\AppData\Local\Temp\joined.exe
| MD5 | f761c20a93ab7c2f4269bec3abe93e6c |
| SHA1 | 7d7c4cae8adc22d160367030dc2844d99ffe8a94 |
| SHA256 | 6d636eb6d5749ee6375a7f9a1cb1ea7a249d67a75186f3eb9d3c18d8c1a92698 |
| SHA512 | a33c3db3ae1cb8792c56971550aa40d1d626aaa8c3a4972d7045a8dad033dd322e12441e3b4c708212bdfbf849c3e430e4647bb63cb26657b7d68be27f504fce |
memory/4516-53-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 464b0d6842930a8549249a4a889cbec3 |
| SHA1 | 6bee61c3d4c0d3c9fda0a4f0b7a4bb058cb3477c |
| SHA256 | de82dc5770fead6f3cd9d2cc67d138efefdc5a1672ee7943ba62aa768b728836 |
| SHA512 | 491bb2e20d279f026bae5b6fcb2cdd7a6ef81a8313043203674c60e29cedd5ba32d0e67e0e02263df233c8b5ec9e18031c0a1729ddfe24aa90241cd4a68c3597 |
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 464b0d6842930a8549249a4a889cbec3 |
| SHA1 | 6bee61c3d4c0d3c9fda0a4f0b7a4bb058cb3477c |
| SHA256 | de82dc5770fead6f3cd9d2cc67d138efefdc5a1672ee7943ba62aa768b728836 |
| SHA512 | 491bb2e20d279f026bae5b6fcb2cdd7a6ef81a8313043203674c60e29cedd5ba32d0e67e0e02263df233c8b5ec9e18031c0a1729ddfe24aa90241cd4a68c3597 |
memory/2076-56-0x0000000000000000-mapping.dmp
memory/2076-59-0x00007FFF43C10000-0x00007FFF445FC000-memory.dmp
memory/4624-60-0x0000000000000000-mapping.dmp
memory/2076-62-0x00000000004B0000-0x00000000004B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\start.exe
| MD5 | b946780a963cba96139e39874613239a |
| SHA1 | 546dc793cafa834d8bc92a73a85ce5ef528e9a50 |
| SHA256 | aeb73b30faf81095ac8aa82733eeb0acae7165c6dd4f4eea3582f79e9fb01a4f |
| SHA512 | 88502ab675c9f88ae1071b1fb896a98f990db937eeaabc5484ad14c5ba378b0259505e3778480129cbd77bed259163bd428511a48714426c2577e38b93ddb491 |
C:\Users\Admin\AppData\Local\Temp\start.exe
| MD5 | b946780a963cba96139e39874613239a |
| SHA1 | 546dc793cafa834d8bc92a73a85ce5ef528e9a50 |
| SHA256 | aeb73b30faf81095ac8aa82733eeb0acae7165c6dd4f4eea3582f79e9fb01a4f |
| SHA512 | 88502ab675c9f88ae1071b1fb896a98f990db937eeaabc5484ad14c5ba378b0259505e3778480129cbd77bed259163bd428511a48714426c2577e38b93ddb491 |
memory/2076-66-0x000000001CDA0000-0x000000001CDA2000-memory.dmp
memory/2076-68-0x000000001CE50000-0x000000001CE51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe
| MD5 | 127e84da4ae44901bd1859997c8496d3 |
| SHA1 | 70624d1f0c49f0955ca33d57e9868cb7068f931e |
| SHA256 | ac78935dde801f6c91dc0e6a3e3fd12b8b85ecd7f1ee65b225fa26cb4b506939 |
| SHA512 | 48843ddffbeea3cd5a50f6435b316394b121c5ede20e2165f56c9642e30c8a3364f488a14078369a384b664f4f6b338f12429b855cffc576f1eede8756c5bccf |
memory/4808-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.15476\Stub.exe
| MD5 | 127e84da4ae44901bd1859997c8496d3 |
| SHA1 | 70624d1f0c49f0955ca33d57e9868cb7068f931e |
| SHA256 | ac78935dde801f6c91dc0e6a3e3fd12b8b85ecd7f1ee65b225fa26cb4b506939 |
| SHA512 | 48843ddffbeea3cd5a50f6435b316394b121c5ede20e2165f56c9642e30c8a3364f488a14078369a384b664f4f6b338f12429b855cffc576f1eede8756c5bccf |
memory/4808-72-0x0000000001430000-0x0000000001431000-memory.dmp
memory/3024-73-0x0000000000000000-mapping.dmp
memory/3024-74-0x0000000002850000-0x0000000002851000-memory.dmp
memory/3024-75-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/4388-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.20237\Client.exe
| MD5 | 847457f4ac910e5be0beed59c22e136f |
| SHA1 | 44c636d6946fd70e866f00e1b214803d72b7cce6 |
| SHA256 | fef24adfaef00fddddd50ebce110ce87f2ceea93097b151fe7e9f6c0c15b3556 |
| SHA512 | 2b5086c530350eb518d7ac2924491d88b7f8eaff11af8fd8c26caa928f2aa220d46cfe34cd84e771560c583e88e290e6b86c8999f72fce4d119ac4e329bd613a |
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4484.20237\Client.exe
| MD5 | 14b6ee06789925cdb6d12e407ec2dbe5 |
| SHA1 | 190b032282a344710d633704f1bf0034eb3752c6 |
| SHA256 | e58d9ba80c2a48afa828dc6745538422981bc280b497e033c21e0555315dd08d |
| SHA512 | 1237c110b98ec00a9d14749438bb14079de6682db9057c2535986eacff57993abe1042f222f7124e60bafabe878547a5c0bfc8e421270c81c087c259a9db169b |