Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

URLScan

urlscan

1

https://ydray.com/ge...

windows10-1703-x64

10

Resubmissions

07/01/2023, 07:45

230107-jlr4xada86 10

07/01/2023, 07:21

230107-h6vvvsda55 10

Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/01/2023, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ydray.com/get/t/16730759831953PjwK67541c3cf7b9yV

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note
User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note
WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and
URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Signatures

  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 60 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ydray.com/get/t/16730759831953PjwK67541c3cf7b9yV
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3352
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.0.1575852283\855061993" -parentBuildID 20200403170909 -prefsHandle 1548 -prefMapHandle 1540 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 1640 gpu
        3⤵
          PID:4220
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5088.3.329208103\853487482" -childID 1 -isForBrowser -prefsHandle 2300 -prefMapHandle 2296 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5088 "\\.\pipe\gecko-crash-server-pipe.5088" 2120 tab
          3⤵
            PID:5040
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:4740
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4740.0.1410330153\565465558" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 220037 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4740 "\\.\pipe\gecko-crash-server-pipe.4740" 1628 gpu
            3⤵
              PID:4092
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4740.3.2097655933\1736931350" -childID 1 -isForBrowser -prefsHandle 2184 -prefMapHandle 2180 -prefsLen 135 -prefMapSize 220037 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4740 "\\.\pipe\gecko-crash-server-pipe.4740" 2224 tab
              3⤵
                PID:1596
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4740.13.580830682\671519375" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 6227 -prefMapSize 220037 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4740 "\\.\pipe\gecko-crash-server-pipe.4740" 3428 tab
                3⤵
                  PID:4592
            • C:\Users\Admin\Downloads\winrar-x64-611.exe
              "C:\Users\Admin\Downloads\winrar-x64-611.exe"
              1⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              PID:3972
              • C:\Program Files\WinRAR\uninstall.exe
                "C:\Program Files\WinRAR\uninstall.exe" /setup
                2⤵
                • Modifies system executable filetype association
                • Executes dropped EXE
                • Registers COM server for autorun
                • Drops file in Program Files directory
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4572
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4440

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\WinRAR\Rar.txt
                Filesize

                107KB

                MD5

                8933d6e810668af29d7ba8f1c3b2b9ff

                SHA1

                760cbb236c4ca6e0003582aaefd72ff8b1c872aa

                SHA256

                cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

                SHA512

                344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

                Download Submit

              • C:\Program Files\WinRAR\Uninstall.exe
                Filesize

                412KB

                MD5

                92667e28583a9489e3cf4f1a7fd6636e

                SHA1

                faa09990ba4daae970038ed44e3841151d6e7f28

                SHA256

                9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

                SHA512

                63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

                Download Submit

              • C:\Program Files\WinRAR\WhatsNew.txt
                Filesize

                95KB

                MD5

                d4c768c52ee077eb09bac094f4af8310

                SHA1

                c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

                SHA256

                8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

                SHA512

                5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

                Download Submit

              • C:\Program Files\WinRAR\WinRAR.chm
                Filesize

                314KB

                MD5

                81b236ef16aaa6a3936fd449b12b82a2

                SHA1

                698acb3c862c7f3ecf94971e4276e531914e67bc

                SHA256

                d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

                SHA512

                968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

                Download Submit

              • C:\Program Files\WinRAR\WinRAR.exe
                Filesize

                2.3MB

                MD5

                0b114fc0f4b6d49f57b3b01dd9ea6a8c

                SHA1

                23e1480c3ff3a54e712d759e9325d362bf52fabd

                SHA256

                f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

                SHA512

                e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

                Download Submit

              • C:\Program Files\WinRAR\uninstall.exe
                Filesize

                412KB

                MD5

                92667e28583a9489e3cf4f1a7fd6636e

                SHA1

                faa09990ba4daae970038ed44e3841151d6e7f28

                SHA256

                9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

                SHA512

                63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\06F5A1230C4A9F6C1025F1D52BC8F00C
                Filesize

                472B

                MD5

                13789eb97594de5b8113e32f61cf2bbf

                SHA1

                bf72c2b641c205879bf6cd9c2152af7614054084

                SHA256

                55447c057673798dadecdf5d1303650d26390ea91aa8cbd49a799c8e623be039

                SHA512

                7456e7a5902f4b463c29c87117b7e0fb9fc1d3ebe6d2d31c3474b75b9e63bfdeae02de10088023179f2a7923e6e149e7a20eae537e58f98c37d1a8098bbfb9d3

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                Filesize

                2KB

                MD5

                411cd537dcecbf901759b8e6c1bdb076

                SHA1

                655df9870867a1760ad1a2c967b330c61767437a

                SHA256

                aa9e441c6cf813efd9ba76fe4ae52d884a5c7d222ed221903c42f09bc14eb7db

                SHA512

                ea780f875c86f8694f67d236a0af066b952862356edb681375e6c387103a91ce085345359f8fe83dd630d310ee6b7637512e5868951c4c257daa411ab9c03e71

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                Filesize

                1KB

                MD5

                7c56401cb6bd1ae402e06f0fe35f81c4

                SHA1

                b82bbb9fa39266796cafcd308ef4300fc92e3399

                SHA256

                0c58c7bc18d38a3096da6f3575f1c6f8d79b69382d8e89bb5fca917d3cdb7f65

                SHA512

                2ea607c2dc04c8ef34ecb4c4bd297e0f0882b179303565863d1745172322133b78186fa04334e82c135e25fd717719ceec917f49682a4eac37034ea87bb2b6f3

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\06F5A1230C4A9F6C1025F1D52BC8F00C
                Filesize

                476B

                MD5

                1f30859b4f1d60599f714887d66584f8

                SHA1

                bd08e0eb488d7ae37b569bbf939bc4f44d925bca

                SHA256

                408c702f6f7b680c154d4ce3646d9a3632ca678f5a3cb6151ec8f2f1071d90ff

                SHA512

                f6866eac3e450a3b3a74d2573dbcb5b455c9a1f13251a3153494c6a7314050ea8fa24114b35b1311def9052f7f7f8f4e9f2831cfa84321c616ac41ae6fdcb25d

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
                Filesize

                488B

                MD5

                70644d81af801fdd0146883727b38200

                SHA1

                5cc7a657d8443ef49ee9bac438fd36368ed65217

                SHA256

                47eb3927f2ffee60f79eafba9990c69354391c2ecb0624a8aac373dc1216deeb

                SHA512

                e7a7c35cc3076530779e834055d90332c3c2ff335a98c05a3669f26b0214b20a1ab725d46702b1c3c581959f050b43babcdbc42b56a10bebec772dbe0674e183

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
                Filesize

                482B

                MD5

                1cfd1ea1a8cb56a0395c1998f5ae8649

                SHA1

                0f2a8aa87532ba7f609b85712c1885ef21249645

                SHA256

                c8d76a57cddd0f9a76a05900372550a352e5adafacd1c3c17f7e4c9b02944d93

                SHA512

                49a0715700a24c7ee02526ba3a03639ce857c4ab3b7949dccf6d4212bdeb1739981a9812c5a5d6978961c2973100b4735e63bfd8079b130b2d5614d99add7ef7

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\25HCM48V.cookie
                Filesize

                942B

                MD5

                6e44c574e782af1aa400a6749aa8b178

                SHA1

                c5034a0d8ad3098bfe5374a76e5fff17d3cec28a

                SHA256

                3b75b48efceadf637fea8061f68bebd9da22079d0191f613df0ea5c728cb7564

                SHA512

                d4a328be7b912d4374e7926afecfa3ccee8eb29debf2cc8119acb5a296773c31b3e94547aa153b3f4dbae2cad001813d7d7339a2920ffb08c7e8fd820ab80184

                Download Submit

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0ceoz898.default-release\startupCache\startupCache.8.little
                Filesize

                344KB

                MD5

                e68a1c2202e4cd807f51b9b68964e5ff

                SHA1

                0565c963a891bbb1fff0680a3e5cc2d2b661d8f4

                SHA256

                3d6ee2be5b9b36a9b614ace8528de5830c94cea55041b6397e753364d2d5363c

                SHA512

                b07942b2dcb7a3f620ee417b678ce91b34863b7fc59dcc25cee67b74bf56acb185cd59900c5986c08bb07b08193a49f6b9422c077270ea5cc9a6f147cbe4cb99

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\SiteSecurityServiceState.txt
                Filesize

                459B

                MD5

                08b8fcb6c8bebeed51275968006fc6a1

                SHA1

                ef938f8026051490413d4a36f01667c46d429a53

                SHA256

                2ce761864f8a60251cc4fc545b267d7309d207c5b63a09891ea6aa92e472ab7a

                SHA512

                46274080e1f0c80873336c46815f74ac1d267773438cb8a566689318c98a224d47e11d592ad503a6c634897229095cbac0b834b34d2ff98bc4de5cc6ff697e42

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\datareporting\archived\2023-01\1673077564375.a4c230a7-e222-4590-b47d-aee854654174.main.jsonlz4
                Filesize

                6KB

                MD5

                a7eff09ba0ae586e83c8cbd44a6e6dc3

                SHA1

                c2facbd9f290897fac84393f2674071b6c224d41

                SHA256

                9eacf319917b6c317be9eaf863ac0a25e85e92c487c565230cdbaa8378270d9f

                SHA512

                907ec04435eec71f4e0f059ad16828a59658fee915678e56912f331317bdfd8e3b52947d1bd5614625613c327a28d07158b5c87e0cbcc549402ac666ded10f47

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\datareporting\archived\2023-01\1673077564388.ff2c7296-665e-4132-8a4a-979fbd3e4aa9.first-shutdown.jsonlz4
                Filesize

                6KB

                MD5

                709949fbef0c3b5474430f413a54d99f

                SHA1

                4c31bd27a15367d19e2f664ad36f9b1bc3fec751

                SHA256

                d7eacad925db467ad36c791e071245a19446b0a8fa1cb0ca4afea5af83ed495f

                SHA512

                c29d3783fbb4900e0aac3440e835447f07f949c401df28ac1f3a2846bc14df5432223dd90f703307687cd1e28caf916393e182f898b6fe2f3cf6daf94d918cfa

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\datareporting\session-state.json
                Filesize

                161B

                MD5

                7aa17c9d9bff9e55d3906174c4e61a32

                SHA1

                375b19b6179ad3d207918b758d655b214729c539

                SHA256

                e3cbda3f0456d26d2dc9d2551746577264e0c596dc565d083624b31e3cd0609a

                SHA512

                4c5b202fc15392639d1b0fb2b1a20da92a8b5a8bfeacb1ad3a2d2e70966bcf0beba5709bb5cd8419fc32085041c3160adaa7fe38a11b7e278f6c3cd52a8f93ab

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\prefs.js
                Filesize

                6KB

                MD5

                bf25137532f4b95fbb0e4515adfb1ca0

                SHA1

                117867deb4b68b8f6a27d795c12e0270d8ffe100

                SHA256

                dfb066cf2261a808c70e25168e6e2b4397dc66100e270008e17c6731207400b0

                SHA512

                9f00f49a5e0976bab4fccfa2c093ac58f3870ba0f205b17733f6efe4e551f6a692e8b06e01b22b2cc9506357eae375c6b91d811624ee7b6e8a1fd39e296f01c4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\sessionCheckpoints.json
                Filesize

                204B

                MD5

                3e62554c9f218730ddf20915068266c9

                SHA1

                b19fc85839713623f0d0206870f88d9173705523

                SHA256

                c40d1a8460187b4e8f141f324e3a988805af7983606dd605ee2aef1cfc07e695

                SHA512

                31c099d65dfbb1c2fa33a5f6dc2fd088599f9ac2ed093320dccedffe447772817ea6c7e4c99037a927a941fc8e0722b25f04e679a848d4de43c8d8d49d02cf1d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0ceoz898.default-release\xulstore.json
                Filesize

                2B

                MD5

                99914b932bd37a50b983c5e7c90ae93b

                SHA1

                bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                SHA256

                44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                SHA512

                27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                Download Submit

              • C:\Users\Admin\Downloads\winrar-x64-611.exe
                Filesize

                3.3MB

                MD5

                8a6217d94e1bcbabdd1dfcdcaa83d1b3

                SHA1

                99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

                SHA256

                3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

                SHA512

                a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

                Download Submit

              • C:\Users\Admin\Downloads\winrar-x64-611.exe
                Filesize

                3.3MB

                MD5

                8a6217d94e1bcbabdd1dfcdcaa83d1b3

                SHA1

                99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

                SHA256

                3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

                SHA512

                a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

                Download Submit