2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e

Sharing

Copy URL

Twitter E-mail

General

Target

mmc-stable-win32.zip
Size

13.4MB
Sample

221230-ddyntseg92
MD5

45373f75c382eca0c44cba6915d7f6b7
SHA1

34ed4532d48a8d58bb845f5c6a5927aaa260fab9
SHA256

2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
SHA512

34d27b7cc81f8f2ac4ff73c340e608f32dc8af16c899b17018c40305fd1cf1d7b75264f9b9a4ec79a1b74836eeea872bed25a99a7e57a2c5445b2cb7fa3aa1f8
SSDEEP

196608:9Zkgd/mcKTMG3GS6iw+7WLqB8114REWkcJXTkHAhWsWxCNqm567aQvsLB0Sqdpfz:Ay/mqG3GVinAqB818h6H/xRm56Wh9+V

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Emails

[email protected]

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Targets

- Target
  
  mmc-stable-win32.zip
- Size
  
  13.4MB
- MD5
  
  45373f75c382eca0c44cba6915d7f6b7
- SHA1
  
  34ed4532d48a8d58bb845f5c6a5927aaa260fab9
- SHA256
  
  2ef69f36d3a99e423ae6b8de52168fd26656d0c274845270000b013043daac7e
- SHA512
  
  34d27b7cc81f8f2ac4ff73c340e608f32dc8af16c899b17018c40305fd1cf1d7b75264f9b9a4ec79a1b74836eeea872bed25a99a7e57a2c5445b2cb7fa3aa1f8
- SSDEEP
  
  196608:9Zkgd/mcKTMG3GS6iw+7WLqB8114REWkcJXTkHAhWsWxCNqm567aQvsLB0Sqdpfz:Ay/mqG3GVinAqB818h6H/xRm56Wh9+V
Score

10^/10

discovery persistence ransomware
- Modifies system executable filetype association
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  MultiMC/MultiMC.exe
- Size
  
  8.6MB
- MD5
  
  86ec72e400abe379ed8453af49bbef32
- SHA1
  
  374abd6b7aa5687fc738ceee1df52be0994fd8bc
- SHA256
  
  10e44003255706995674e8dfdd43ce8242ee5f8402cafc8ec01e614d7c93dfa7
- SHA512
  
  846619daf0bce719aa8ce63962b5e68f498010a36608c842dd94f7235fa5ef36e35be77aba528169eb132f7971e4f6f6298b102cf49b0ed3a41e9dbbff98b4ae
- SSDEEP
  
  196608:jSFXkbPNSzhxpI+nIrTGEhiKhxJunHR/OcdpIX9uVvVV5cVY7VjVMSrV4rNVVjVJ:aXWWwwdiYVvVV5cVY7VjVMSrV4rNVVj7
Score

1^/10
behavioral2
- Target
  
  MultiMC/Qt5Core.dll
- Size
  
  5.1MB
- MD5
  
  9c31c47941edd8aed4bb51a3be9c6ea2
- SHA1
  
  e83d8c04fec834086a018f8bff01b614ef6e3341
- SHA256
  
  79b83c43af99a9cb72a744ae2262c090227907907e8f2deb937cd4e1f0965e4d
- SHA512
  
  9763960a8118ab558e1a26abef275cddb323449608eb4f8518b82fa67d34ffc1d146f4f6b3e072317d8b0af5e95ca84bcdeca838ec150d4b3ef2e748c0a9d961
- SSDEEP
  
  98304:paO5O7s0XerbbAJIaKSA31cCvErDsNYWZSgkvDFPJsv6tWKFdu9CQlld0:BOoZX8O1cBdUSg8DNJsv6tWKFdu9CQZ
Score

3^/10
behavioral3
- Target
  
  MultiMC/Qt5Gui.dll
- Size
  
  5.4MB
- MD5
  
  03e5f50d7848d9cc2d8d00127ea6e706
- SHA1
  
  30a5fd241e9db476f11235d7a7d650ec23ac97e2
- SHA256
  
  047811d5fecb88e19c6e70aeabac7848599142cfe8aba1a01c0d130dd4f72452
- SHA512
  
  d41c80f85cfbe9779cccb3ad3825917044075b126c866aece157c6b85b418382394cb6a58cd5b2ea386659c042fcebe963131fb2d37ee80c684c1c9154eb9e31
- SSDEEP
  
  98304:TKTu1y8DX4YFi3UIK5f77kyB1ophScU22BhrwRD7e+1X+Q86o:TPTFbFdYhd86
Score

3^/10
behavioral4
- Target
  
  MultiMC/Qt5Network.dll
- Size
  
  1.5MB
- MD5
  
  a72dfd36b9b8c51de93f3c7cca5945ce
- SHA1
  
  1bb6dfcb892b74968f5b8ef26e0027842df20fbf
- SHA256
  
  41fafdcea112cb01edadc0b2c14995d4cf05e4b5fd101a6e196baaa614b228e8
- SHA512
  
  5a38b11928f1319dac7b75cfd8304610f75e0464f26bc44810458e14cc79ca9d1396f55c1c6405baf95e176755a50c8076bcf6b30d05e4fc95607f479b9f9dec
- SSDEEP
  
  49152:ZrURZC+3uELYy60bMcDrGBj3IfTt3yLorAnjhm:FK0+3uEUy6YMcDrGBz
Score

3^/10
behavioral5
- Target
  
  MultiMC/Qt5Svg.dll
- Size
  
  349KB
- MD5
  
  96934c8f93716fb4c5ab7433c3fcf660
- SHA1
  
  e411016b245b77813f8ea5ed9dc8dcf9403ac831
- SHA256
  
  adb44de5a537f5fadb9288e3852189f799ba7b95cef847f2198a8864ab6f063b
- SHA512
  
  bcd231289cf4900886a4a5c55c0584073da36d5dd823ebf6a59986932fdb1cf70ead079fcdc7e9cfd4837e6212eb7037a7b5b7b0704e073b06c6fc4f5dbbc97d
- SSDEEP
  
  6144:GCJ8N/2aVIOLZS5Qyk2MIwe8x1TB3JJ+Wd5J/LCW2V:GCJQ2arZS2yAG8x1TRjDL
Score

3^/10
behavioral6
- Target
  
  MultiMC/Qt5Widgets.dll
- Size
  
  6.2MB
- MD5
  
  501d23a2e5e2f8bb1564ac627f674bc0
- SHA1
  
  84934fea79b0e4c39afc325b48a3dbc64e6d98ef
- SHA256
  
  5c16112f7f7454e2e802f4a18e0b9a9a0086b9ae29bae35892d7d32f3fa81c94
- SHA512
  
  9282c422b289309f74c5af8a5b102791057607ea0e35f0bde41a64c4240cae3f1fac921c3271d55fd22e56a9934db6b535c114244a79debcf8185fc4c094163c
- SSDEEP
  
  98304:wNL3373gY4y8fcLwtFc94OLHa2QmqfbTI7N6WidvtjPvAsSo+AyNBVmcBNx2hXL/:a+yG+yFisM46BJqgxUVs3Xcu6
Score

3^/10
behavioral7
- Target
  
  MultiMC/Qt5Xml.dll
- Size
  
  221KB
- MD5
  
  f09bf12746b7821c7ab1e16ce41e9119
- SHA1
  
  f70368238133e02957e465ae1196f064da69680b
- SHA256
  
  dbdd63614097767943c585c09f08d346500683e308861f583b2589618d491d6a
- SHA512
  
  ff3dfbec1efb9dae085da3b38f1f7b3d59c289137bc18c8330a6ae95471eded0569669dbf9eb83ffb3be03803c6eb248f2999b963614c40719bc953138fe85d5
- SSDEEP
  
  3072:nn7BwPZm8TEGjKh+NPmuWFaDA1w1Bn6PJQD+B6TQtiPVSe00FUAuDl3DF+bDXW2b:uPdjKhY+uWFaDA1jeu6TQtiPWuPW2
Score

3^/10
behavioral8
- Target
  
  MultiMC/iconengines/qsvgicon.dll
- Size
  
  44KB
- MD5
  
  cbb708acdbcfd89e1de38e2c4aa9192a
- SHA1
  
  c9f658b429391876bbfdf8081b3e90d725bb2307
- SHA256
  
  8cb93b212c02fd6d222e985e629df698227323c43b7f0b71be3649aa8cb3cc2f
- SHA512
  
  2bd5a12c236ef1da3e8e002850595c101255e519b66a3a75e6f3a12bdebdd67b54b47b08028695eb8c571bc257f7241cce6351d3cf4d3fd4ed1176965eb02e0f
- SSDEEP
  
  768:xjf6bXA7t029ZxcVeA69Pz47e8J8J80IHN6n61/KWqYTfbiWS:EM5Oc41WW9ghWxbib
Score

1^/10
behavioral9
- Target
  
  MultiMC/imageformats/qgif.dll
- Size
  
  32KB
- MD5
  
  67598fc68a992f106bfad56b22cac886
- SHA1
  
  9285cea038e0f8f10125ca4b724c264b041f4da6
- SHA256
  
  000bbacc0fa451c61413e50b3ef63d3461da422b3425404d8952a52182121b6d
- SHA512
  
  04af56c60969090c4d09fc27fbb8c1d794ab4b6dc9ba3eadc842edca7f68788f7880ec0e533b63dde284511a456dee10814824795915ff492ca01e64e7b86429
- SSDEEP
  
  384:afrulhh3V/N8pXxdQLwfUOWcE7kX80HBFZuTRpIWvTCCz:yMR8ZE4u7qBEIW2Cz
Score

1^/10
behavioral10
- Target
  
  MultiMC/imageformats/qicns.dll
- Size
  
  45KB
- MD5
  
  3b48f732f811ea6ea4fcc18808a7df1e
- SHA1
  
  f924dbd2a760e8b259582a43a0797bda29b3d06f
- SHA256
  
  5da98ac16c329354b1b709b20fcf797f3fbdb8d3e834054568d2ff68e897851d
- SHA512
  
  a1c1eff1357be31172bc340c339ccd31dde7285db3fcbd5c10989af743a8936596b8252ffea1b52c6be6ea06f11b3845268f76e52289dc28896dd26ebf9d1c30
- SSDEEP
  
  768:naEh/izNdGh+UNit6OT80EyJ4kCsIusIGEWBNdk9:aEhfg/8KJjPmQWBNdk
Score

1^/10
behavioral11
- Target
  
  MultiMC/imageformats/qico.dll
- Size
  
  35KB
- MD5
  
  2c32188d9388b06ec91170e4461913ab
- SHA1
  
  082689789ff54cacf94b0f171c762df512c8a786
- SHA256
  
  63f7f73d9bd956ca55b80ce29d24c0a1da1a126885d45473e5779ca78a709dcb
- SHA512
  
  57286e87e9a013229db863c152d41b7af821b8afa7f84259f58f7089a947ca3771d526aada88212fcbb235209b6b504a489a5c43c4ba0b2a77e1f31e882e9262
- SSDEEP
  
  384:JUev3snLkJqIN1v5dqY3M1lNRa16NQkgcPkRu7xR3xr+i1AxwWTTVqI5SEwZY1:l2XqL0IexWkg0k0dR31fWdqqSEwZY1
Score

1^/10
behavioral12
- Target
  
  MultiMC/imageformats/qjpeg.dll
- Size
  
  246KB
- MD5
  
  c228c1486e203d48d9c7d84d0b631e15
- SHA1
  
  1ccdd75d6cd473d00aa17686ec98f509b1e8e360
- SHA256
  
  a55cb801a07932d263c980b14abdb464acd8150b9258260efdf535634bfe9811
- SHA512
  
  a649078738e69572276a37431c495582f933b04701deded8b5f6dd5b3c6d5b9d338ddb242b71659038d324ca74c2a8f2b229c7beba6f16ddea238f2bcbfae870
- SSDEEP
  
  6144:jutAUtpjvlyaX8XZ99bkBRSMArBPkfB917Wu:jutAavlqJMArBPkf
Score

1^/10
behavioral13
- Target
  
  MultiMC/imageformats/qsvg.dll
- Size
  
  28KB
- MD5
  
  7eb5b428de2fd5ce7f361bbf3d6aada4
- SHA1
  
  318acc5132492347727bde7ed70516150144b140
- SHA256
  
  c818b37d77c84e3a9963a761bae3eefc73cccd3485ee6cb1c085c670041e9c59
- SHA512
  
  681fb8a700aee5f44cf1f328c2fea157a98dab12e287f686d408584b5096ac262cb5cd2b2ff1f3c1b6e55d374ade2236118f41ec9c14fbec7014aae0683c1e5d
- SSDEEP
  
  384:0F2Z2Eg8ESscKYkiluz0RdysDv2IWsTmqK5J5:SqESTnDRbWH1J
Score

1^/10
behavioral14
- Target
  
  MultiMC/imageformats/qwbmp.dll
- Size
  
  26KB
- MD5
  
  8e1eb9386572d0c7e62e0230a67ff987
- SHA1
  
  0c26b03c95cacf4ee63aaff2e52e6d732b0aadbe
- SHA256
  
  e7bdd9c34a62b3b46d8e7d224be3f5f7607a27634a8a6fd4f85549869f2d1145
- SHA512
  
  370b990e8cb3652c87190dabbff8440a1fb58282d860ed25b9fb2aac7c1809df176c8d6a4f685ac843fddf52f08cc07c832382eb6ae55ef5c4f3da74adf7a9f9
- SSDEEP
  
  384:Ntm9jnAo9hvpbVDTs16ZHGg3FEE2IWgTrODw9:ejnAoHQzEWOOD
Score

1^/10
behavioral15
- Target
  
  MultiMC/jars/JavaCheck.jar
- Size
  
  1KB
- MD5
  
  16d8178e5a55d814fd1d2814094653ac
- SHA1
  
  2736f178b6463606393a88e0955461272def1c7f
- SHA256
  
  6dbb0df875bb6456095a6c02d9a1d29b3a6b0ff50ac93cfd5a143630c8521e49
- SHA512
  
  bc607f85dddc1606810127bd943f1baf32cde6ead66a73f6771deb9413b841c46ac1b7cb051628dfdf67be75c83c55d6ef6bca9cddd994885e81f4ede7044da6
Score

1^/10
behavioral16
- Target
  
  MultiMC/jars/NewLaunch.jar
- Size
  
  14KB
- MD5
  
  ec0fbe9b90e6da62ef3bcb49df2836ae
- SHA1
  
  cc507d7d98e816ae3f61c4c40a796db6fb56cd63
- SHA256
  
  afe2181afa664c43b8d8b899584e6be6e788b785a860e3e6f8e3d501dc4b8484
- SHA512
  
  1b03db3688817f0da3649871cc32ccfcf87c7241ee5ca0e1352c8db0414d9dc07d3845f3e63bc8800713ba0da001a2bccc936e18355fc7c68e6bfe0a9d857d9b
- SSDEEP
  
  384:XCoBnP8zR7GtjOdjbvew7ArIKLGa5XbAQqbSZk/FxS2:SAPLQ1bm1EKKaFbVz0Fx1
Score

1^/10
behavioral17
- Target
  
  MultiMC/libLauncher_iconfix.dll
- Size
  
  127KB
- MD5
  
  84acb289049b167366875f61b5596752
- SHA1
  
  523a7a2d0df5be5e1f0c99cd2c63e4d1db38afa7
- SHA256
  
  055f67a18e58c8637cb2cd8a58f9c05bb942521465954e18722564e0337776be
- SHA512
  
  99f35bf4f0418c0aac19d2e35e29708dc21011ee4adfdabb180c1deefeeb71f0cbaf953584d158c6d6de332a1d9480092de79b42ed0ed8420b3b49370aee7b9d
- SSDEEP
  
  3072:hUhA8S8fo6OjGyy1zWmC00TEUmIKOpS8aNx5tnzgp:KhA8S8fo6OjGJ1zWLTEUmIKOpS8aNx5Q
Score

3^/10
behavioral18
- Target
  
  MultiMC/libLauncher_nbt++.dll
- Size
  
  342KB
- MD5
  
  a8fd1d3ca86576af970775e814578dc0
- SHA1
  
  b600843f2c8ef110fcbb5dd5f57211bbe189056d
- SHA256
  
  0de8b725ff2074290b6c9f5f38a4650b84eaf299456c2dc5cd9e71b1e1962824
- SHA512
  
  48042b9b3f5e6471261f663351b86d5c231cc2158f71cb2cdc3bdc2f667a90175d908b7325b8ab156366eddf037baf788abd6555825a04b90f8f85cb44386cb8
- SSDEEP
  
  6144:eIUgcH0hzdJ8UOxWbc5sCDPB/Qll7a56FBTYb4Y7pHhW6dJjgGoo5Nheff1ByLca:eIUgcH0hGV/Qll7W
Score

3^/10
behavioral19
- Target
  
  MultiMC/libLauncher_nbt++.dll.a
- Size
  
  149KB
- MD5
  
  ffabd70def945035addf48ebef4a8f86
- SHA1
  
  803b95adab566e55f8fdb4a4a7c7cd4eff6a73a5
- SHA256
  
  809783bc1689c21caedef407fda5c722a725361357c90ca27561ac67f93b38e2
- SHA512
  
  04dd492f9bca6580c8b552c9d582580f03f26f3f81b4f62af897299954cdb05c054d37424208a0c7ec1a7cd3df1469e5522815edb7ea9ce2f1863275dbb2b2e4
- SSDEEP
  
  768:BPr973m9vvDJvmFE0ZFCrA9PUOYT5cQZ5qSpQfKMKpDMng+NJO+7o5Amsmwx15qR:xr973mXDaKrk37Tu6qY57VYmK
Score

3^/10
behavioral20
- Target
  
  MultiMC/libLauncher_quazip.dll
- Size
  
  313KB
- MD5
  
  4813b90c24f25f01bbf5acd064164aa6
- SHA1
  
  087784084f0dceffe380980a3c506766d3ef390b
- SHA256
  
  9bd5cb1a97a9700430ba656eca4f4646cac537c76d4bde1ac9f8f8206e410952
- SHA512
  
  04c0a853b7b58a148fc0493710569526866582bd4d1da272fa090a9b29cda65cfb2bef6272f507902b247c1cbe601b79eb50352d1f689dc0549e41b02df66757
- SSDEEP
  
  6144:c2GqFejo44ffwqGOIq/2VPWt8RJhywVapRwT5yM:UqFBF0Oh2T
Score

3^/10
behavioral21
- Target
  
  MultiMC/libLauncher_rainbow.dll
- Size
  
  67KB
- MD5
  
  0a9b6d533e16eb5795bd8730bb61e060
- SHA1
  
  5ae86c52d44ac0715e81d8ddd17f746a39c71e45
- SHA256
  
  3bdb910a160dad572f40d744054585e7164b03065229bb6673832347ca82368e
- SHA512
  
  fce04e1eb406c6b6dd161624df1fc4c5fad0d31c982e884183f0e217582240098fa9cc2682afb3ed825dab7602a4a26f4782fe00898746ef6e465897cfbcf66f
- SSDEEP
  
  768:kEg24DKoyYH150BEexXfz2xGpsy/a2MaOtRd9P9mg8rO71:kFVD11ij11DM5hP7x
Score

3^/10
behavioral22
- Target
  
  MultiMC/libeay32.dll
- Size
  
  2.0MB
- MD5
  
  cbf108307adf8bd4bab6b128d07b9dfd
- SHA1
  
  69a2faf90356c46a19a2062e388217f94c195d47
- SHA256
  
  2f20c026052e5fa19cef41ffe0efcf24d8a0b72b111836b752c5a5233a3bba24
- SHA512
  
  aa4ce9a4a2fbba5c6d79b21c659319ce88b9fae853ab5192e48cbd384bb9211ce52de003bf784aaff0133740bc130675044ca72a1713607554558ead8162b8f0
- SSDEEP
  
  49152:ITREYq/BXaITiJ3AI9r5O55DPy5oEHTcdcFKFRMKMn/0Nq6D/V41G:ITREYq/BXtTiJ3AI9r5O55DPy5oEHXKP
Score

1^/10
behavioral23
- Target
  
  MultiMC/libgcc_s_dw2-1.dll
- Size
  
  117KB
- MD5
  
  fadde43c97607e4445a6f924d851f04e
- SHA1
  
  36c1aa0e1b6d4a322c350f5e502c10c64c203041
- SHA256
  
  f0614835136413217ed3baec9ba22aaac4c37956afcb0209f1f89b7676ae86bc
- SHA512
  
  66f5637419f88070838ed522defad9aa1b46dd4fd8cb045e0292742831520740d152795b6e99770f34061db596019ef3a342a956b541180e78d1c48b2703f42c
- SSDEEP
  
  1536:CxINSJvU82V9dUT4PsXQ+2Q4p2VtjByBzEj6zu3PEhOKeLTxaek:CzmpUkPsXQ+2zsBy9IPEh6Zaek
Score

3^/10
behavioral24
- Target
  
  MultiMC/libssp-0.dll
- Size
  
  18KB
- MD5
  
  d6859975aaf6d3aa92f2d50f6e9876a0
- SHA1
  
  d3cf8dd3f1ab9712e819a33b3827fe02e7732aa8
- SHA256
  
  17329c4c19e8f23cde9c99155eb3f8759f8d2383ad856c32a51b3b9fa2846811
- SHA512
  
  75acc3c020cd7138f5f5e3aac30c6d659a20c6f1bfe3635a6cebae13c4ea0a549994ca65b51f96b8f6042b0e2696e68762ec5a683fd25133729631cf6b43ad15
- SSDEEP
  
  192:dp7WMmYHrucAtBZgcVJRi15SDTiDLbjIq1W8WQjfHTjXtUxmj:/aM5aNMcV30VLbj9sJQ7HXQg
Score

3^/10
behavioral25
- Target
  
  MultiMC/libstdc++-6.dll
- Size
  
  1002KB
- MD5
  
  c283d446b34e75019b81d0981cb11f0d
- SHA1
  
  a6e146975dfc55b0659d09e25b9a69f7cff993dc
- SHA256
  
  f6530962659d0641236a42517a30dc55c4fcb7d30e942c3e820af343798a770d
- SHA512
  
  eb51969a79ee4501c955a81cec9f07e9a39007c1ea69c5021e03ebf3b640d949e19f6e0cd7af969e80ec60ea6b8477804fb76deec2704db503e72906103fea63
- SSDEEP
  
  24576:KSNHTild8LMw2g8XiGkMAZ0dP5Bd+1DT50v4H:7dLM8GkMAQBdih
Score

3^/10
behavioral26
- Target
  
  MultiMC/libwinpthread-1.dll
- Size
  
  48KB
- MD5
  
  d128ae39a79e5d196fc001907b5ec3d1
- SHA1
  
  71de74d0aa93903e0a169c88fd21e0c617f0660a
- SHA256
  
  4195ac1e3a4a8056de42c31d511e0e595772439adba96180b8953ef5f135f7a5
- SHA512
  
  5b32eb7e2f01fb17ed0c4434a525ae3056acddde75c32c5036c18b6f2ffa4cf80cfee9bab4c824ca313e6e33114ea0e761dc8f75db3bbbbe4319c079848a3c06
- SSDEEP
  
  768:NdOT5wjxqOfH36THnf/GcTuI4bOBxZXmVwDI7dTBhkSoFrg22222222222A26wiB:rE5wtqOfX6T/uDIm4xZ2WI7jhkSoFHij
Score

1^/10
behavioral27
- Target
  
  MultiMC/platforms/qwindows.dll
- Size
  
  1.4MB
- MD5
  
  56954e18add3156caba4489616e892dd
- SHA1
  
  36cc60e7da33ac88f4c3bb61f2ddf01d384a73ca
- SHA256
  
  8745fcf14809fccd3acb3e579993cad589a1203d0bd3cb1acd5d3a9bb0e92583
- SHA512
  
  2e72776f03af37bdbd280d475709e0d4f7c1d4f98ff6222b77f26e10c848732d1a2578482c3d51633477c7dbe77e2aed25c117744a958893fc048bb15ee574fc
- SSDEEP
  
  24576:aiKxMPHVBhiCphvSPkcnQXTHr31zvut7Z+rXOA7WIZETX3klg89Ypay:20p/JvutPjTX3klg89Ypay
Score

1^/10
behavioral28
- Target
  
  MultiMC/qt.conf
- Size
  
  1B
- MD5
  
  7215ee9c7d9dc229d2921a40e899ec5f
- SHA1
  
  b858cb282617fb0956d960215c8e84d1ccf909c6
- SHA256
  
  36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
- SHA512
  
  f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
Score

3^/10
behavioral29
- Target
  
  MultiMC/ssleay32.dll
- Size
  
  435KB
- MD5
  
  2a9639d9287113b49a9bddb878c2938e
- SHA1
  
  c8a60c7d228c0d45640bc9b243281e32e37d3ca0
- SHA256
  
  0f4bb89e47492f2f6c43d851b0ec94f5d60738921efdcec0fb1a0b386904a126
- SHA512
  
  35e9231b4fc9f7841e764953d224e5b550de6d9e09758cafb7b92261fafdb6bec4e10aadd28d65ce0a87632eaa43c544be0c40731123dac695fc76c7dcd2ebb4
- SSDEEP
  
  6144:5qrg0lIeOMz+nhhNH72O8limm1bB/0Ya8QQZiHjDvzHXOi53EZL5hijSdg:B8lfm1bBzhZiHjzK9/IjCg
Score

1^/10
behavioral30
- Target
  
  MultiMC/zlib1.dll
- Size
  
  73KB
- MD5
  
  c7d4d685a0af2a09cbc21cb474358595
- SHA1
  
  b784599c82bb90d5267fd70aaa42acc0c614b5d2
- SHA256
  
  e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc
- SHA512
  
  fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b
- SSDEEP
  
  1536:+4nToIf2W/nkQRZHaamLQHoIOah7Vryh7IO4cZlIXw6Epb:bTBfHdRZH9mLQHuaBVGn4FXw6E1
Score

3^/10
behavioral31