Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2023 03:25
Behavioral task
behavioral1
Sample
Redline_20_2_crack.rar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Redline_20_2_crack.rar
Resource
win10v2004-20220812-en
General
-
Target
Redline_20_2_crack.rar
-
Size
17.0MB
-
MD5
29c151659c2460d90adaca01a53045c4
-
SHA1
e1a02696511991705827352a1496861997f72e42
-
SHA256
2fe936d6b25266ad008ffe359931fc537bfbc3f00774af009c2de5f3abb04e1c
-
SHA512
96d1fb469f91d1a36d374aaad497362b7e11110f7ed708c24136fce5b6ae11a14a2b7aa6cdf86e5d58e8149fffb0b8512bff2f6079531eae92d8089b9b39f4ed
-
SSDEEP
393216:VcPxpiFTFeTwhLN3zmLen6r0OnbNm6TMaEcqpKVtckzH:KpGFqiLZb6Q2bNm8MaEcqdU
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
winrar-x64-620.exeuninstall.exeWinRAR.exeKurome.Loader.exepid process 648 winrar-x64-620.exe 3856 uninstall.exe 4804 WinRAR.exe 4904 Kurome.Loader.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-620.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation winrar-x64-620.exe -
Loads dropped DLL 1 IoCs
Processes:
pid process 3092 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
Processes:
winrar-x64-620.exeuninstall.exedescription ioc process File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR winrar-x64-620.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-620.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-620.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-620.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-620.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-620.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-620.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240588656 winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-620.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-620.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-620.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-620.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-620.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-620.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-620.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
WinRAR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exeWinRAR.execmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r11 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r27 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r28 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WinRAR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r25 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cab uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r18 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zst uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.taz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat" uninstall.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 3032 chrome.exe 3032 chrome.exe 2828 chrome.exe 2828 chrome.exe 920 chrome.exe 920 chrome.exe 1684 chrome.exe 1684 chrome.exe 640 chrome.exe 640 chrome.exe 1544 chrome.exe 1544 chrome.exe 2588 chrome.exe 2588 chrome.exe 4872 chrome.exe 4872 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WinRAR.exepid process 4804 WinRAR.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
chrome.exepid process 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Kurome.Loader.exedescription pid process Token: SeDebugPrivilege 4904 Kurome.Loader.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
chrome.exeWinRAR.exepid process 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 4804 WinRAR.exe 4804 WinRAR.exe 4804 WinRAR.exe 4804 WinRAR.exe 4804 WinRAR.exe 4804 WinRAR.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe 2828 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
OpenWith.exewinrar-x64-620.exeWinRAR.exepid process 1560 OpenWith.exe 648 winrar-x64-620.exe 648 winrar-x64-620.exe 4804 WinRAR.exe 4804 WinRAR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2828 wrote to memory of 820 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 820 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4324 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 3032 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 3032 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe PID 2828 wrote to memory of 4376 2828 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Redline_20_2_crack.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9b1e4f50,0x7ffc9b1e4f60,0x7ffc9b1e4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-620.exe"C:\Users\Admin\Downloads\winrar-x64-620.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,9823678734336485774,16968724864141283381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\Redline_20_2_crack.rar"1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe"C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAR\Rar.txtFilesize
109KB
MD5e8943094a7a6e3a6767e8d412fdbc8c3
SHA17e7eac16f0741a747639a131cf8e93e63c7e9d7c
SHA25635c7deb1cf472f4d695ab0def305234629440236a8e9422fa8860c362ffe35bd
SHA512dda86c6f7ad30bf7dfb7d2d8584f0956018b7425837129d6c9de3c126a9ec48bda8b761bd6084031f0daaa22393af901820a9f2cce1a049944db27705da1209b
-
C:\Program Files\WinRAR\RarExt.dllFilesize
659KB
MD5ea4678249e28226ffc839a9a20874857
SHA193b411700f6d438de5539b5f541f400eaad258cd
SHA256ff80b23750347fcdf4b54a4deb794ea5c84ee6accd9f988be0dc68a9eaef4d9d
SHA51271089979244259ff9b18de256aa2b37614fce49f00b518386aa0562c5d5a1b7f9135500a452989ad7fb7571afff6873bd10166522cbe3a99dca307111bcec258
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD54b666387a3c9dcff1a35f928003906f8
SHA1afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6
SHA256882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92
SHA51260c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
102KB
MD5009a59803c14130cfb6ef5b1fc8b2bce
SHA11842d01ecd0bfaf5db6c89d17458ba9cac8d0cf1
SHA25686491ffa4415b525dd4f51f3806b5217c5fdbaeee83ac313e28ed342bde83ff5
SHA512a67aa1d6ccfce38314d488fa20469b05f84cf5cb5bdd089b7c28349b64bc359954fccfea7eb574eb3eeb7eec4b6d7f07f334c6be96d14ea301b7706d168ed3d3
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
317KB
MD579f52d2a3c76f7402de3e30b2dc9bc7e
SHA1bb15a3289e308295891b3078190e8d797a52acf2
SHA2564e4db98a555a3821e911bc35c301fd4dab8530cf9fede6f6c9439e212919abda
SHA51273b09d5db6ca8587ec8f5b7a0bd711a9225561116d90ae7609442bd388110eebb075a5862bb1abae54f8c32cb880e27d741dbecdba2cb9b2c10c5ef7b1a2685b
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD5f01b85893ccecbb9020d065e47e046aa
SHA1237311f4c143f74758a8ef6aeeeff0b9dcfe1434
SHA256821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42
SHA5125f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD5f01b85893ccecbb9020d065e47e046aa
SHA1237311f4c143f74758a8ef6aeeeff0b9dcfe1434
SHA256821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42
SHA5125f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exeFilesize
2.2MB
MD5a3ec05d5872f45528bbd05aeecf0a4ba
SHA168486279c63457b0579d86cd44dd65279f22d36f
SHA256d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
SHA512b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
-
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exeFilesize
2.2MB
MD5a3ec05d5872f45528bbd05aeecf0a4ba
SHA168486279c63457b0579d86cd44dd65279f22d36f
SHA256d4797b2e4957c9041ba32454657f5d9a457851c6b5845a57e0e5397707e7773e
SHA512b96b582bb26cb40dbb2a0709a6c88acd87242d0607d548473e3023ffa0a6c9348922a98a4948f105ea0b8224a3930af1e698c6cee3c36ca6a83df6d20c868e8e
-
C:\Users\Admin\Desktop\Redline_20_2_crack\Kurome.Loader\Kurome.Loader.exe.configFilesize
186B
MD59070d769fd43fb9def7e9954fba4c033
SHA1de4699cdf9ad03aef060470c856f44d3faa7ea7f
SHA256cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b
SHA512170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518
-
C:\Users\Admin\Downloads\winrar-x64-620.exeFilesize
3.4MB
MD573414a9b8498d43b9a195dac57871203
SHA13e59209a7855955c7ca7500adf43e9c17b9a4568
SHA2564b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e
SHA512cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017
-
C:\Users\Admin\Downloads\winrar-x64-620.exeFilesize
3.4MB
MD573414a9b8498d43b9a195dac57871203
SHA13e59209a7855955c7ca7500adf43e9c17b9a4568
SHA2564b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e
SHA512cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017
-
\??\pipe\crashpad_2828_OSBKOEHKMNFMNDAUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/648-133-0x0000000000000000-mapping.dmp
-
memory/3856-137-0x0000000000000000-mapping.dmp
-
memory/4904-151-0x0000000000070000-0x00000000002A6000-memory.dmpFilesize
2.2MB