Overview

overview

10

Static

static

1

winrar-611br.msi

windows7-x64

10

winrar-611br.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    390s
  • max time network
    334s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2023 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winrar-611br.msi

  • Size

    4.5MB

  • MD5

    68ba045e1427d63d03660ef2d88584d0

  • SHA1

    a3e9bd9adddf1aaaaff03cd69a7128e6fc774977

  • SHA256

    e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898

  • SHA512

    d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8

  • SSDEEP

    98304:MYGKdAHTgvV1OsKnG5vgzfTVkdRTpRjbrvC7gEjT7A3:i81OsKG6zfTVkddpdTCRj

Score
10/10
lampionbankerdiscoverypersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note
User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note
WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and
URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

https://blake2.net

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 60 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\winrar-611br.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1668
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 34AD5615DBE97D54DC27291571FD18B6
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8D36.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8D04.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8D15.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8D16.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\astuto\escasso\Hw2confiança.exe
          "C:\astuto\escasso\Hw2confiança.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1896
        • C:\Users\Public\Documents\AnyDesk\winrar.exe
          "C:\Users\Public\Documents\AnyDesk\winrar.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Program Files\WinRAR\uninstall.exe
            "C:\Program Files\WinRAR\uninstall.exe" /setup
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system executable filetype association
            • Registers COM server for autorun
            • Drops file in Program Files directory
            • Modifies registry class
            PID:2856
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:560
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "00000000000003A8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1956
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      PID:1704
  • C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    1⤵
    • Executes dropped EXE
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    PID:2196
  • C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    1⤵
    • Executes dropped EXE
    PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\6c7e0a.rbs
    Filesize

    606KB

    MD5

    73100c6a21c5fc2561666cd83ede2c83

    SHA1

    ebc7746251a12659da2091bd377cf9b6ab634061

    SHA256

    546c0bfcae1da091f1335cf26e2e0662a0f9914edbf431750920bcac0e4b5436

    SHA512

    e323e2e69d3a686883a73a042946627cdc1253ef1775fb165a0fdd6814ad96edb955f070e49410a682cc96beeab1b9fa450eb4e946de5bf8a03f5adec2cccf88

    Download Submit
  • C:\Program Files\WinRAR\Rar.txt
    Filesize

    107KB

    MD5

    8933d6e810668af29d7ba8f1c3b2b9ff

    SHA1

    760cbb236c4ca6e0003582aaefd72ff8b1c872aa

    SHA256

    cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

    SHA512

    344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

    Download Submit
  • C:\Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit
  • C:\Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit
  • C:\Program Files\WinRAR\WhatsNew.txt
    Filesize

    95KB

    MD5

    d4c768c52ee077eb09bac094f4af8310

    SHA1

    c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

    SHA256

    8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

    SHA512

    5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.chm
    Filesize

    314KB

    MD5

    81b236ef16aaa6a3936fd449b12b82a2

    SHA1

    698acb3c862c7f3ecf94971e4276e531914e67bc

    SHA256

    d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

    SHA512

    968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2838d0dec8f164f67045d764142cbf62

    SHA1

    c4fc2558b11ee21be1b72f343dec9275a6939a45

    SHA256

    0bbc285d19c099bfb4393fa13c7b4b961c69748d3a3dfc6682ee050d0a1982d6

    SHA512

    0fd3929d799c0fcf44a2bfa4d5fcde5b9b8eb524bb8399a36034a426864ff14ce88c42a7a559b3d9c17e06d439c3553c1606df9c0cfcb6a5a0c3d18939ce94f9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    919f0508b43b0aabafbc0b29675fa6e7

    SHA1

    5a64350a34dc88d20f83fb3ac8434924a98b3cce

    SHA256

    a8988edb08dc57b82a20cf0b65398175eb6655f9473faaf79de896d68c7485ba

    SHA512

    da8350ec0c4958ee4658b7fa1ccfd35cc10b3fa6d19c2c373a9204fd770a89da79f7d67859f2fb9b21a83bb2777eb7a0875338d8145ca4ddd0ba95ef1a890ebb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bdbfe83c9bf0ca7e4b4215f1d2b84cd5

    SHA1

    37ad823b48e7593b19dec1d57e4893d2e2936522

    SHA256

    2e7db20af27021073c7827240e846ddba8858904a508dee112a638d89cd3f4dc

    SHA512

    217b2808ec58fc20ee1eaf1eae101ad0e1653e989a2fcda010eff6a0d3428e54ed2054a8fcd440e1beedd5f30eee97c01b24cb66d4cc73c4afc8372e1fe4ed6b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3df2d4a4f3afaa96c6eefa1fd31e7aed

    SHA1

    68fc85807592b394ab540c1a33fec95a64bf3b51

    SHA256

    9dd64a8a65a1c20bb72d8c1ead2877c827217eaad08883a264aeb0b04c1cd870

    SHA512

    7bfbd8eb73589f00f3542556f4ef26d9105151080002a6bd625c7403a841ba82d9eeee59c552dab03b49081bceb718ac7f571953368ff31d900e76b6e17e5c02

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f35f87277080c85b2ad4c225481ced39

    SHA1

    4cf3e70a0abac54e8ce0f63b02202fa225305612

    SHA256

    5792a9a8eb30388106c287c8d61718dc5f9375cbf2dfee7a6c20746560dfd7a5

    SHA512

    8012531bc733ee358647a21f17ab3b8cc9d175efcb68f3748062f0cb15d41d07bacf3f9c1337a07c5c97004e92962eca37185f179b2b4829979d4e5adc7ba34c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    138075b45b8d6c73ab963894741c1b8b

    SHA1

    a8f85cfd0f9f824eae209b7ad70277bfe11ae442

    SHA256

    013e4fd7916bcb615ca10e9bfb2a7bc5ff8e8959f2de6675152bf79b7e83c0d1

    SHA512

    879568cdba5955c0fb3852f0017bbabc93b5649bc4968839b2afd0fa3fa6400df41fba7c71afcc7c669b1d467f00fb973c61c21678b8d42c14e31c1b0695fc0a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3e2d03c73069a8cbec7e89eacb2874d8

    SHA1

    3c43d8604906c2ecef6052977732e7119c881627

    SHA256

    7bae8ce717b2c580eb2794037a89f775e17846a1498bee10aadfe0a698319581

    SHA512

    55aaeef11afa6907bc391955445cf363ced76fa09364cbf4131d7c226efffc025c28e461b34f71f4daa4aede9cae11eaee90163d3b0662d0cbe88417b527ceda

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    06442fa8be24ab0958a86d061cc66b34

    SHA1

    06f1297ecdd02044d5700f010e5e7436ffaa2995

    SHA256

    8cec945e4f6faf868b1b61241c24efe3e74914555a1ff12f6de3b5dfc615a3a8

    SHA512

    a80b62fe8df4427203d31eacf26041d65fefb75a1bec78884cf1c6481413cf692d11e2687200b84e820b8244c13278f38bd169dd5ac9d5deca6bb84acc0944ae

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    570fca05b2cad1d3c77b250e7b10419c

    SHA1

    d9d40819d0bffa8acab84555fcdc524aebacaddd

    SHA256

    52e76fb094d39e529882785c469fd51e26109c5af86188589670a2dac588a17e

    SHA512

    a123a971558adc595053bd7df4156d46e8163362a9ee3680e9c50db1da33226522668167d38fe205dc624339991d067c6f771c8c54b5ce51fbd4e1d2195194ff

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    571473f7d4b62323c1438f6a3a7967fe

    SHA1

    f69177de8f9bc737cb75ee1db102053322a39d85

    SHA256

    dea0af57e804c1008c530d5be4ffcfc267c993e1b75b4e37c6985dc1d5a413aa

    SHA512

    392df132626c0f49404ca0bc11a50709281e677a0f019b988f0c0a7d5bb00e059242c2689548bbf0e01962f8675e1f65390beb5b4ad5228419369ba7e9cdc9f0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    88688e4335a653160b7e1e66d0af0dd1

    SHA1

    6d85f88b28830e4616761c5ee1792df1dfd12f76

    SHA256

    151bcb3a228cea597452e6884522804ccf20a184fa25fa94b4bccdb649999584

    SHA512

    d7d81645ac859a0dac2195d343de98e9c97a2a5a1d5010b5023fed39100bd4419cf4cb9138d078e82c72594fa6c71ba8d3addfc46b4f4d7e730aefa55879bba2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    68554924146580870e9f5923fa94ad81

    SHA1

    84af98e00f350ce86ab00b3ea8183bad9555ea1c

    SHA256

    7b43dad68bc11646483d4824642a6c4ef1a6a774855fd2644a5e4d50301a00de

    SHA512

    0a14d183040159015c94f5d6c1adbdf7ca1029cf05cd094a460e0018a26c60bde389408396149e07bb423408737a3d6807d976f7797f1db89b5ab2d6a6ecbe19

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D33E1QE\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab96C7.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar9728.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pss8D36.ps1
    Filesize

    5KB

    MD5

    fc1bb6c87fd1f08b534e52546561c53c

    SHA1

    db402c5c1025cf8d3e79df7b868fd186243aa9d1

    SHA256

    a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

    SHA512

    5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\scr8D15.ps1
    Filesize

    17KB

    MD5

    d815da347cf3c1a260840649beb56ff7

    SHA1

    4da95ffed10e7369b685a390fe4e99a6a1e1f416

    SHA256

    d6f001aeb36cdb8e6bbcb0d35ffe55c86ad5f942f9d0d15a089706801fdad931

    SHA512

    ca2cd68cf615db854c7ccc6cc5c84da4a8b5f6913229c856fc343ba3e7af8563b0afcd29e9d14ca75eb4cf833102a2ea8b802629f284819bfb2630a82d61b170

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
    Filesize

    12B

    MD5

    cb7e235f444d5ac109ab9c25dd7f35cf

    SHA1

    87ee28f2e63bb04ded5350baa66f2ecadd0d4a9d

    SHA256

    52a7504015656dbe42f76b01b6b0f4da57627f5811d15434842b12e11bdd25db

    SHA512

    9d6b73fe7d61771aeed00d6c1b4c77b2f4ed4c179b0ee94fc1c75e84bbd51c002a78b472e82986e160dd55f1a762f5dd4858b586318b14855118cda83a1403b0

    Download Submit
  • C:\Users\Public\Documents\AnyDesk\winrar.exe
    Filesize

    3.3MB

    MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

    SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

    SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

    SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

    Download Submit
  • C:\Users\Public\Documents\AnyDesk\winrar.exe
    Filesize

    3.3MB

    MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

    SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

    SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

    SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

    Download Submit
  • C:\Windows\Installer\6c7e07.msi
    Filesize

    4.5MB

    MD5

    68ba045e1427d63d03660ef2d88584d0

    SHA1

    a3e9bd9adddf1aaaaff03cd69a7128e6fc774977

    SHA256

    e06b212b0c26d4f385a3623c64820b3ea4bbd83065646a38d1f3e0cfdfbb0898

    SHA512

    d677806a4c4ed419995b0ead65db4081c3e4b002e400fafb8d042d6695e7e17cc476a0ccc8df9c1caed164254ba2536c73891f89f6f9f57aea7a5421a6d964e8

    Download Submit
  • C:\Windows\Installer\MSI7EF1.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • C:\Windows\Installer\MSI8123.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • C:\Windows\Installer\MSI81D0.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • C:\Windows\Installer\MSI81D0.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • C:\Windows\Installer\MSI86A3.tmp
    Filesize

    574KB

    MD5

    7b7d9e2c9b8236e7155f2f97254cb40e

    SHA1

    99621fc9d14511428d62d91c31865fb2c4625663

    SHA256

    df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

    SHA512

    fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

    Download Submit
  • C:\astuto\escasso\Hw2confiança.exe
    Filesize

    9.7MB

    MD5

    2e47fc5675f96d63b11821b8f0395f17

    SHA1

    1dccc123e58d2802491602345433dcb1e723f192

    SHA256

    74b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4

    SHA512

    2ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273

    Download Submit
  • C:\astuto\escasso\Hw2confiança.exe
    Filesize

    9.7MB

    MD5

    2e47fc5675f96d63b11821b8f0395f17

    SHA1

    1dccc123e58d2802491602345433dcb1e723f192

    SHA256

    74b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4

    SHA512

    2ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273

    Download Submit
  • C:\astuto\escasso\Hw2confiança.exe
    Filesize

    9.7MB

    MD5

    2e47fc5675f96d63b11821b8f0395f17

    SHA1

    1dccc123e58d2802491602345433dcb1e723f192

    SHA256

    74b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4

    SHA512

    2ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273

    Download Submit
  • C:\astuto\escasso\Update.zip
    Filesize

    32.9MB

    MD5

    d546eff329671383fb1f934e80ea7435

    SHA1

    c8e7ce1bff5870397cc6a636b73d79c4a1804da7

    SHA256

    8a188dc28b67770cef25f9ea7312ca84f674c60c9f418eab0fedbbbffde9695c

    SHA512

    fb2a5851b10b3d72f3f4be90d85c0b8aab4c3fb02b99802134c0618608c9a8c17df51521c28c85f7ebd6aa032a9602a44061c06fb0eb557e34557d73f8a4098b

    Download Submit
  • C:\astuto\escasso\windowsdump
    Filesize

    89.4MB

    MD5

    41aa2f4db1989e641169e9ccdf38a347

    SHA1

    ced16950ca2e1c5d08ea87bb3034c21e6c6dd1df

    SHA256

    573e582a98e8190dcf3b0dbe5ed86fe6e56044e948b5d5221b18052b584d5dc0

    SHA512

    3423b722e89e4086f9ffd155b8039acd698775bf56181c23621269ca512e24e4a83c091c4ecbbf008edca0306b943c6e5b70170b51a17bf3f450c4d58d63f358

    Download Submit
  • \Program Files\WinRAR\RarExt.dll
    Filesize

    632KB

    MD5

    650a771d005941c7a23926011d75ad8f

    SHA1

    84b346acd006f21d7ffb8d5ea5937ec0ee3daa4f

    SHA256

    b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f

    SHA512

    4724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad

    Download Submit
  • \Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit
  • \Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit
  • \Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Users\Public\Documents\AnyDesk\winrar.exe
    Filesize

    3.3MB

    MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

    SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

    SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

    SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

    Download Submit
  • \Users\Public\Documents\AnyDesk\winrar.exe
    Filesize

    3.3MB

    MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

    SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

    SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

    SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

    Download Submit
  • \Windows\Installer\MSI7EF1.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • \Windows\Installer\MSI8123.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • \Windows\Installer\MSI81D0.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit
  • \Windows\Installer\MSI86A3.tmp
    Filesize

    574KB

    MD5

    7b7d9e2c9b8236e7155f2f97254cb40e

    SHA1

    99621fc9d14511428d62d91c31865fb2c4625663

    SHA256

    df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

    SHA512

    fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

    Download Submit
  • \astuto\escasso\Hw2confiança.exe
    Filesize

    9.7MB

    MD5

    2e47fc5675f96d63b11821b8f0395f17

    SHA1

    1dccc123e58d2802491602345433dcb1e723f192

    SHA256

    74b6bdee25a3dbb1a89e8e4170094c21ce60e782ff58e1123a99dae415ffe9d4

    SHA512

    2ab1ce6c8ff45286411b95ddf8afba44e2fb8fd30d7d0feefe08b286a686bc415df2be890afc67d4513dac70ee2512f79854b5c265a4a0e9e7e86f6ab2d89273

    Download Submit
  • memory/1568-97-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-92-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-91-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-90-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-96-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-95-0x0000000002640000-0x0000000002680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1568-166-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1568-119-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1896-149-0x0000000000E20000-0x0000000000E2D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1896-164-0x000000000FE50000-0x000000000FE7B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1896-191-0x0000000011730000-0x00000000121EA000-memory.dmp
    Filesize

    10.7MB

    Download
  • memory/1896-180-0x0000000011300000-0x0000000011316000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1896-632-0x0000000000400000-0x0000000000DC3000-memory.dmp
    Filesize

    9.8MB

    Download
  • memory/1896-176-0x0000000011280000-0x00000000112BD000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1896-175-0x00000000111F0000-0x0000000011207000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1896-174-0x00000000111B0000-0x00000000111E8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1896-173-0x0000000011130000-0x000000001116A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1896-170-0x0000000011030000-0x0000000011068000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1896-171-0x000000000EF20000-0x000000000EF21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1896-169-0x0000000000400000-0x0000000000DC3000-memory.dmp
    Filesize

    9.8MB

    Download
  • memory/1896-168-0x0000000009240000-0x000000000EBB7000-memory.dmp
    Filesize

    89.5MB

    Download
  • memory/1896-167-0x0000000010E50000-0x0000000010E69000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1896-165-0x0000000010DD0000-0x0000000010E46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1896-202-0x000000000EF20000-0x000000000EF21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1896-163-0x000000000FDC0000-0x000000000FE4E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1896-162-0x000000000FD10000-0x000000000FDB3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1896-161-0x000000000F7B0000-0x000000000FBBB000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1896-160-0x000000000F770000-0x000000000F7A1000-memory.dmp
    Filesize

    196KB

    Download
  • memory/1896-159-0x000000000F3B0000-0x000000000F4E0000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1896-158-0x000000000F170000-0x000000000F1B6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1896-157-0x000000000F1A0000-0x000000000F219000-memory.dmp
    Filesize

    484KB

    Download
  • memory/1896-156-0x000000000F100000-0x000000000F197000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1896-155-0x000000000EF70000-0x000000000EF8C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1896-152-0x000000000ED50000-0x000000000EF13000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1896-153-0x0000000000E10000-0x0000000000E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1896-151-0x000000000EBC0000-0x000000000ED50000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1896-148-0x00000000003C0000-0x00000000003C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1956-150-0x0000000002170000-0x0000000002180000-memory.dmp
    Filesize

    64KB

    Download