hxxps://download2293[.]mediafire[.]com/kncs69fio3lglwqWYcUpnPEt1ObnDcfgxIs808enABj_YDbjECA58_GL5eS76ZBTYpOuSrLHcObg3-bFBx0yQpFK/lqcj2qteas2hqt1/Windows+10_11+Digital_License[.]+SolucionesPc[.]rar

Resubmissions

09/03/2023, 02:17

230309-cq7a3aab87 10

Analysis

max time kernel
189s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2293.mediafire.com/kncs69fio3lglwqWYcUpnPEt1ObnDcfgxIs808enABj_YDbjECA58_GL5eS76ZBTYpOuSrLHcObg3-bFBx0yQpFK/lqcj2qteas2hqt1/Windows+10_11+Digital_License.+SolucionesPc.rar

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.21 1. Both file and folder modification timestamps are restored when unpacking TAR and TAR based archives like tar.gz and tar.bz2. Previously only file modification timestamps were set for these archive formats. 2. Added decompression of .tar.zst archives with dictionary exceeding 128 MB. WinRAR 6.20 allowed such dictionary for .zst, but not for .tar.zst. 3. Switches -ed and -e+d are also supported by ZIP archives. Previously they worked only for RAR archives. 4. Bugs fixed: a) if unencrypted file was stored after encrypted in the same RAR archive and both files had been unpacked in the same extraction command, WinRAR 6.20 failed to unpack the unencrypted file; b) in some cases a wrong detailed reason of file open error could be displayed in the second line of open error message. Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gr

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

https://blake2.net

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.21 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Emails

[email protected]

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	winrar-x64-621 (1).exe

Executes dropped EXE 6 IoCs

pid	Process
1468	winrar-x64-621 (1).exe
6124	uninstall.exe
4732	WinRAR.exe
1708	WinRAR.exe
5908	WinRAR.exe
236	gatherosstate.exe

Loads dropped DLL 3 IoCs

pid	Process
3144	Process not Found
236	gatherosstate.exe
236	gatherosstate.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240642968	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621 (1).exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c7dfdf30-ade1-4982-abff-2ca3285c3cae.tmp	setup.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621 (1).exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230309031814.pma	setup.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621 (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gatherosstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	gatherosstate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1232	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinRAR.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 84709.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 453970.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4632	powershell.exe
4632	powershell.exe
3176	msedge.exe
3176	msedge.exe
4008	msedge.exe
4008	msedge.exe
4180	identity_helper.exe
4180	identity_helper.exe
5400	msedge.exe
5400	msedge.exe
3456	msedge.exe
3456	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5744	OpenWith.exe
4732	WinRAR.exe
1708	WinRAR.exe
5908	WinRAR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	powershell.exe
Token: 33	5212	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5212	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2328	WMIC.exe
Token: SeSecurityPrivilege	2328	WMIC.exe
Token: SeTakeOwnershipPrivilege	2328	WMIC.exe
Token: SeLoadDriverPrivilege	2328	WMIC.exe
Token: SeSystemProfilePrivilege	2328	WMIC.exe
Token: SeSystemtimePrivilege	2328	WMIC.exe
Token: SeProfSingleProcessPrivilege	2328	WMIC.exe
Token: SeIncBasePriorityPrivilege	2328	WMIC.exe
Token: SeCreatePagefilePrivilege	2328	WMIC.exe
Token: SeBackupPrivilege	2328	WMIC.exe
Token: SeRestorePrivilege	2328	WMIC.exe
Token: SeShutdownPrivilege	2328	WMIC.exe
Token: SeDebugPrivilege	2328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2328	WMIC.exe
Token: SeRemoteShutdownPrivilege	2328	WMIC.exe
Token: SeUndockPrivilege	2328	WMIC.exe
Token: SeManageVolumePrivilege	2328	WMIC.exe
Token: 33	2328	WMIC.exe
Token: 34	2328	WMIC.exe
Token: 35	2328	WMIC.exe
Token: 36	2328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2328	WMIC.exe
Token: SeSecurityPrivilege	2328	WMIC.exe
Token: SeTakeOwnershipPrivilege	2328	WMIC.exe
Token: SeLoadDriverPrivilege	2328	WMIC.exe
Token: SeSystemProfilePrivilege	2328	WMIC.exe
Token: SeSystemtimePrivilege	2328	WMIC.exe
Token: SeProfSingleProcessPrivilege	2328	WMIC.exe
Token: SeIncBasePriorityPrivilege	2328	WMIC.exe
Token: SeCreatePagefilePrivilege	2328	WMIC.exe
Token: SeBackupPrivilege	2328	WMIC.exe
Token: SeRestorePrivilege	2328	WMIC.exe
Token: SeShutdownPrivilege	2328	WMIC.exe
Token: SeDebugPrivilege	2328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2328	WMIC.exe
Token: SeRemoteShutdownPrivilege	2328	WMIC.exe
Token: SeUndockPrivilege	2328	WMIC.exe
Token: SeManageVolumePrivilege	2328	WMIC.exe
Token: 33	2328	WMIC.exe
Token: 34	2328	WMIC.exe
Token: 35	2328	WMIC.exe
Token: 36	2328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4852	WMIC.exe
Token: SeSecurityPrivilege	4852	WMIC.exe
Token: SeTakeOwnershipPrivilege	4852	WMIC.exe
Token: SeLoadDriverPrivilege	4852	WMIC.exe
Token: SeSystemProfilePrivilege	4852	WMIC.exe
Token: SeSystemtimePrivilege	4852	WMIC.exe
Token: SeProfSingleProcessPrivilege	4852	WMIC.exe
Token: SeIncBasePriorityPrivilege	4852	WMIC.exe
Token: SeCreatePagefilePrivilege	4852	WMIC.exe
Token: SeBackupPrivilege	4852	WMIC.exe
Token: SeRestorePrivilege	4852	WMIC.exe
Token: SeShutdownPrivilege	4852	WMIC.exe
Token: SeDebugPrivilege	4852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4852	WMIC.exe
Token: SeRemoteShutdownPrivilege	4852	WMIC.exe
Token: SeUndockPrivilege	4852	WMIC.exe
Token: SeManageVolumePrivilege	4852	WMIC.exe
Token: 33	4852	WMIC.exe
Token: 34	4852	WMIC.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4732	WinRAR.exe
4732	WinRAR.exe
1708	WinRAR.exe
5908	WinRAR.exe
5908	WinRAR.exe
5908	WinRAR.exe
5908	WinRAR.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
5744	OpenWith.exe
1468	winrar-x64-621 (1).exe
1468	winrar-x64-621 (1).exe
1468	winrar-x64-621 (1).exe
6124	uninstall.exe
4732	WinRAR.exe
4732	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3324	4008	msedge.exe	89
PID 4008 wrote to memory of 3324	4008	msedge.exe	89
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 4004	4008	msedge.exe	90
PID 4008 wrote to memory of 3176	4008	msedge.exe	91
PID 4008 wrote to memory of 3176	4008	msedge.exe	91
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92
PID 4008 wrote to memory of 1800	4008	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://download2293.mediafire.com/kncs69fio3lglwqWYcUpnPEt1ObnDcfgxIs808enABj_YDbjECA58_GL5eS76ZBTYpOuSrLHcObg3-bFBx0yQpFK/lqcj2qteas2hqt1/Windows+10_11+Digital_License.+SolucionesPc.rar
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://download2293.mediafire.com/kncs69fio3lglwqWYcUpnPEt1ObnDcfgxIs808enABj_YDbjECA58_GL5eS76ZBTYpOuSrLHcObg3-bFBx0yQpFK/lqcj2qteas2hqt1/Windows+10_11+Digital_License.+SolucionesPc.rar
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8c0df46f8,0x7ff8c0df4708,0x7ff8c0df4718
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff6f84d5460,0x7ff6f84d5470,0x7ff6f84d5480
    3⤵
    PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7772 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7176 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Users\Admin\Downloads\winrar-x64-621 (1).exe
  "C:\Users\Admin\Downloads\winrar-x64-621 (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1468
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:6124
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Windows 10_11 Digital_License. SolucionesPc.rar"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Windows 10_11 Digital_License. SolucionesPc.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,800721134757472476,2892156842053139720,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x298 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\Windows 10_11 Digital_License. SolucionesPc.rar" "?\"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\Windows 10 Digital License Activation Script.cmd" "
1⤵
PID:4912
- C:\Windows\system32\fsutil.exe
  fsutil dirty query C:
  2⤵
  PID:3180
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:5744
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  PID:2316
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4724
- C:\Windows\system32\choice.exe
  choice /C:GC /N /M "[C] Continue To Activation [G] Go Back : "
  2⤵
  PID:3832
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\system32\findstr.exe
  findstr /i "Windows"
  2⤵
  PID:3292
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T
  2⤵
  PID:5280
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens" /v "Channel" /t REG_SZ /d "Retail" /f
  2⤵
  PID:5992
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Kernel-ProductInfo" /t REG_DWORD /d 48 /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Tokens\Kernel" /v "Security-SPP-GenuineLocalStatus" /t REG_DWORD /d 1 /f
  2⤵
  PID:2228
- C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\bin\gatherosstate.exe
  "bin\gatherosstate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  PID:236
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:1232
- C:\Windows\system32\ClipUp.exe
  clipup -v -o -altto bin\
  2⤵
  PID:5676
- - C:\Windows\system32\clipup.exe
    clipup -v -o -altto bin\ -ppl C:\Users\Admin\AppData\Local\Temp\tem4193.tmp
    3⤵
    - Checks SCSI registry key(s)
    PID:1112
- C:\Windows\system32\cscript.exe
  cscript /nologo C:\Windows\system32\slmgr.vbs -ato
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\Tokens" /f
  2⤵
  PID:652
- C:\Windows\system32\mode.com
  mode con cols=98 lines=30
  2⤵
  PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE"
  2⤵
  PID:3052
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
    3⤵
    PID:440
- C:\Windows\system32\choice.exe
  choice /C:12345678 /N /M ". Enter Your Choice [1,2,3,4,5,6,7,8] : "
  2⤵
  PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
e51d9ff73c65b76ccd7cd09aeea99c3c

SHA1
d4789310e9b7a4628154f21af9803e88e89e9b1b

SHA256
7456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd

SHA512
57ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c

Download Submit
C:\Program Files\WinRAR\RarExt.dll

Filesize
659KB

MD5
4f190f63e84c68d504ae198d25bf2b09

SHA1
56a26791df3d241ce96e1bb7dd527f6fecc6e231

SHA256
3a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a

SHA512
521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
4c88a040b31c4d144b44b0dc68fb2cc8

SHA1
bf473f5a5d3d8be6e5870a398212450580f8b37b

SHA256
6f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8

SHA512
e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
381eae01a2241b8a4738b3c64649fbc0

SHA1
cc5944fde68ed622ebee2da9412534e5a44a7c9a

SHA256
ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e

SHA512
f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
726e15f087c2bc9f3402c355338a330b

SHA1
e644a7813df9d7ed9a560e5d385f604ab0ddd28b

SHA256
cdcf48b19dc03f957659a6bf01c9b8827c7221fc4f4ab7d2f39083817b01becf

SHA512
0de072ddc25486e608c7d062d564bf61301ac35115747139f0957605022c55b5a007d50eb137ea325749b91d099963e083d1b12a773946edf48bdc1664021880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6dbd128a-8ad1-4faa-b350-1eb321cc367d.tmp

Filesize
11KB

MD5
5797718f19faa6d0d37a6a3b90072460

SHA1
c4020a1761d1056e19f5158e09045d5dcc6728d7

SHA256
5e81c3ddf4d48578d75b999da0a7209ccf4fb9236fe7a260fcb18fcc035df334

SHA512
958faa99ca38fe248aee48a81be35e89e817db894a5b0f6d275e594d6e5810285f777240df3f5550720e846ef71766279fae56cbfd1b28c662427c91538dee85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
64KB

MD5
58442e87246f8c13069e8b637063ffde

SHA1
95a17723e5dfe214569b0b2523ae6d40716ea54e

SHA256
6ceb84d55e5da2e124f76a14aa2b673c21a0007dbafd9f8a701eda2378e80821

SHA512
502bfdfb5eae82d37ef0003a3ea13429496cbd8fafaa4d1a2718523330d44a4bb583e0d5061a14ee6718c8e394e679f5442c490233cee1c3937ba6e183d5ad1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
68KB

MD5
acc9d35c3d0ff059eecf55e4348546de

SHA1
9c763f1d68eace2a50fbf597f3d2c9eac9ee0761

SHA256
9ba685b7859894ee91e0f2394f6b81a71fd8103832308a6b8f3aa70520667dd4

SHA512
a8cc2b78a9664ae569431de3b62a7cdc6ca741c9a5a3fc7ae5c6fd6c832f6f7d3ad94ed6982eafa8fb6afc24c37d1b32716a113177f4dde304a328089407a396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
38KB

MD5
e4c780a544249a7967b82f07268ef432

SHA1
64b38d103f06b8de4241c62835f67b28a96d286c

SHA256
4d2dc675ba41d56f2aa6cc1286f3f127590c9748f7b4e0bf4c79b0b4bd620a9a

SHA512
74b9135f09dffd7a081889235d2f4c7a343291a4c4458ac69754cdd5790b455b9b98a128561d516202549e83671de13cc4e4b9cfb3ff195dc3d23b42885edf49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
30KB

MD5
888c5fa4504182a0224b264a1fda0e73

SHA1
65f058a7dead59a8063362241865526eb0148f16

SHA256
7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

SHA512
1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
19KB

MD5
ca7fbbfd120e3e329633044190bbf134

SHA1
d17f81e03dd827554ddd207ea081fb46b3415445

SHA256
847004cefb32f85a9cc16b0b1eb77529ff5753680c145bfcb23f651d214737db

SHA512
ab85f774403008f9f493e5988a66c4f325cbcfcb9205cc3ca23b87d8a99c0e68b9aaa1bf7625b4f191dd557b78ef26bb51fe1c75e95debf236f39d9ed1b4a59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
588KB

MD5
20a7367a54b10be79289e28d5fb20a06

SHA1
3c9a6baa305bc8d0de1d91cb4dc26f353ba0b7d0

SHA256
749361563506fd9333be72a98da0ac9b0ed9228b91c9ef7587764fe2dff37b6f

SHA512
7901fb19cdd41561491ae81cd5075bdefaa244ee551267dd7f645f1a93d479e2296c7f3d27688beb8717bc78f8bebdd05d02c6757df356aeed43c93cd9c2ccf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
48a82b282a2ac82921cc366c9d6fa0df

SHA1
2814e02743c25900b2333e85b8ca070290f6d572

SHA256
81902d8d1103108a4d50f2ba8d6bb1dd57c91496788fe5540a39ee9f54964f65

SHA512
e7cb08b818c3bdb9d93d52ed6d7f2d253dc59fcd2a516e9a925a810acd5813a4fc2e4490a61bfc3e897500e31f555306d28fbaac7b2ca7012576842dd1351463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
f83da402c5cc629eaba65d1ecf5f5059

SHA1
a502d9d8bbccee47eff6ec573ff5b624eae7a05d

SHA256
1eb464bc78ce605e313da155c4c666a85542b7bda3c8499e97ff0b34137cd6d0

SHA512
c89d8c1f1d215399790f98a09da3d32d33fd60199891d764af8311d8a7ab24639075cb7c5472063bd4a68676bd3b61f7f2d474504a096b390f7fe0866331be10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
36dd1064c5a24951130e980eddc5fc9f

SHA1
f76c8cd9518d79bff43bc574d74291e2c53d74f4

SHA256
83e59dcef6cae3e5047176e9cb16096391042fa2c7c63dc72c7ffde26d3fab89

SHA512
692b4e9e5eb807b81b74aec88220107413b5dbc3a3459295cd946930f66c58025daffdbf34d042669d02994d2426ab4b72b7b15258b1f332ccdc00f43a5820e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
ba9413d65a2544ddae918cf1138fb85d

SHA1
1d1d157bc7495e5a91a3e34f72c2bc3f9dfc47b7

SHA256
3e3409ba0c9ac70b3e9c8f9409fd6c25e1f92a1f58a4c29453f0a49488ed6aed

SHA512
01f8b16dc9253ffb12420beab06fe5f3333c92ec594b5132b2a2b89815b32bc969b4d02cdda86712ad8a15aee621f2abdfa2c0e57947c22f3f9d842137728dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
679e8076f02fdd0864e21a2e77b4b51d

SHA1
26cf1ace3bbd3547361949ae3983b7b93a40d211

SHA256
17ed918693d047286d16b459f9a86d29e6ba9c4306a51b8779f5f7c5e6a35b65

SHA512
2941b559809af1bc83a64f039a09ba7c85b2629439458099e33ff569dc293e3944a85c4078befc6c4eafdbaa068be0481bdbcc792580bb435c5a0b31f8f9d438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
5198a81fd616f0b538ba1179f59b37d5

SHA1
5ef2200f2f5237e18c8e631e5e04367ea0ec9824

SHA256
3987fccbf9946e7ed73a02e5fd8d1ae0248abea5ecb1e768526fde0c0aef3004

SHA512
26b84824ffb27d8f32d6facb883405f1d8ac0e0611976e643c1f984f95e3f7945fa8e690cb998309d45f3ccbb994391d88be752c163b04e7843b7ff6b8938c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5bab2999f1615815219c8c1db83ad768

SHA1
a8b756f56852580d73a55b49fb452d7bb4de7bd9

SHA256
12bb2c1cc611a3d3a7336e11276643e66f89fce85675ecbae1abc867dad004ba

SHA512
5eedd9f0985237353321fc5c04696234a19939fef191153dd845a8b6c9500abacbd8c9e1e66b43fe3aad86cd112e9e742e97001325561bad5d51a59338b1475e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3b7599dcde9674dc015b55a4a07c55e1

SHA1
978bb998a6fbadcbdd6664d82451ec94e74a99f8

SHA256
c89e238e4e25a39cf5796331e7348e0887e5decadcc6fd9514bc8805594d347d

SHA512
5365f032ce7f745046932978702a366dc53859f011e5a2d80729a880b01abbc8627cbe2f5b848d0693e4b02d268631712ee468d7107e5092fc0f7338388002f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
789d8f9d49bbff3c820a6eeb53bb85ca

SHA1
b75176a210c716e6e8094720d92b4680e811bf63

SHA256
75d0c79547df89a23995c61056dc6f521cf5cd834f15af4c1135499aecad4ba2

SHA512
5252e214a4fa1cec9c7c3831ca20ada1e118a643affcdadd9332beb335c2350125943886bfc4370229e1d76829ad704e8792f18881ee69ac4370acee0d1cd3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
10178725bc177921654416dd04955f30

SHA1
a5c9714944699f6c24ff196193abfdb9d5b7b7b1

SHA256
eb057867603d19b7ef9b2967ead5748f6bf5603a52d1edc4c5b253b1baa32631

SHA512
72d6876deef6f60919018331240ed281e232827a3293ba2de22f4e3b24ce45760cf5070e2b526899e7680a31be6eca072fc847c5cafa36b91addb80c89250663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c020104e28ea48d4e02ff0212e144925

SHA1
18fc827b294b31a524aeb0625d266a2c62b65c66

SHA256
6939b99c4fa2dde1d6175bf3b181cf55de28baea3a59b83de52fdcead905539a

SHA512
5912721e4db75d9aee6cf51ed47d616cb483a05a6a1eff3722580986cf891f077680bcd09bcddea0056fa8e4cf83f040d0c81fa34f655dc6d344c3270a5cfd53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a2a3596e61a468793401755c99ce9a30

SHA1
f8735175c297c3718b537de369caf48caecadadc

SHA256
fdb1c3a3bee785d12aa39e9244d7e7a5a82b9a68dbab99c902c82f7c4e220394

SHA512
d50bcd006d5d9df0771f5b957f06ae945975e1bf7f356147a9717ecf42351b8cf006f44535a6a51b4d823a8e35bc6a3eafec66c468574bd3971c7e6db3dbbeea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
245b6e7da22b6f705e0251d6599517cc

SHA1
3d02ffa7b18a9e3df41cc3bb7fb0308bfe18f6e5

SHA256
1873632fa45062c704f081636555c54e4ab24c5e952dd2aad2e79df1dd35b353

SHA512
db5775ade1d0383b27e172b79cd1af990e109971da07c0c51e650a6c42c9aee5f93aa61bab830c25866889b2899ab0527406f99d6d455c1c8aed6a3d5b35af32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4342253d5e72dd24de3b1ff3d3c83616

SHA1
04da71554d114ce9d1c92c6e007b6c6f2498c18b

SHA256
9d76ca37a1938971c06d9818006af8a09431e145bff395d580dba2cc82ab6bec

SHA512
1aa604f80f273f0f2fd1ff25275d95cf00d977b51b5b8973ee0f25f2061c74a395443874d69fd8500a02b2c178d1eae889ea8c5009a4080702a7c748bf242bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42f786bf5ad61bf0dd4427283d4ed9e6

SHA1
a07b4173788781b66c490f097165e179a21ade6e

SHA256
e479f2822fa8b1c4d1d1dd62395b05485095e0ff9afc764a3c4015715e0acdd0

SHA512
ee9edf923ebb80b968f46ba823199d2baff7f1509ce90b65d6380eef0fc3fdad3f84942c1a92598d29e97e91ca25c2224fbc239fa2860e7b4800fc6e2adedac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba5cb66f09750dbe2e33c752ebe62c4a

SHA1
8cb3852b47979a2846cc5f2c757f2d35de038827

SHA256
34951c8b77d0ee1b77edb3ec42175d8335fd719cd2cebaaba36bac3b58cb5dd1

SHA512
dbdcd3265de5388281dc88146ae5016aebca71f134a84ce46389f4cc726cf1949b34e91edd6039a9ebc1a0c82eff1682ebf7e783b1caf3ff09ebecd9d5492453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
26d7d673d48139e0ec20653298d8ff6f

SHA1
a2ade1c975dd69b04a06392583f67a830655404c

SHA256
2101ca07b95a4ed0afba95b9c4adbee7903b27931deac1df801f5ee2d2d57581

SHA512
e4160ac406f51c3b827aecc82fa35a1cc7cdd6b5334ce68059ec30d0ed14e0f4bb244eb8083c08990b2b086eb9385a343d9e16eaba193d557a59624ee01d4573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0559150b9632300e3cc7f03b1d67eecb

SHA1
2ca5401f0e12e5baa85d02ba541ec2c6157003ea

SHA256
4fd7948b96ed67c90bd11fc1bc928daf26257589e953c7e3c6fe1b78fb19c269

SHA512
ff333e0f0d2fdd6a74b3179a8356b17825634cb40c8e201567a4df42c1ba67510f108772a08fb3fd7710fdc9fef2ec5c3e7f6627e973b264b21b1e121072301c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a35f0ec91d42248e81169edcde000e4e

SHA1
baaaddca8c8da33c4508b35e05033754fa4e0bfc

SHA256
c5c94a42a06a75d178a76c9427df06f7da534791c0405f8f8ed0b814fcfe92d1

SHA512
4c37de09b5c9aa73a4b61efed0ef3cc22ee0868ea06a4bad7acb15bcc77f08708b12613b36c09b8a9c6a4bbc356591aba1f048592e0e857cced24fc9e9f706be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5738f2.TMP

Filesize
1KB

MD5
4fab2a282011cd7629f7b35827f13d65

SHA1
d1b01517a971e9df3c8983e9f520f1bdefefa586

SHA256
7035848790e25f4a96305a5f3a8624e72bcef2a83006398b56e55037586c3c59

SHA512
0d7a78dbc7a0b269ff3b02835fd6c260ca59ab6671d364fd2f124d861b49c28b66d4054c9f6d3f2e4108bdfdda7f14a7e0a3b9ca6976b4ef446157ee25f4f990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
9748fd1e78454bdfdda87621a29731c1

SHA1
8e6e940bb0814898654d989fd62073408436e491

SHA256
43042aa4cf8463d4b0f3f3911da56bdc1ae2f2114d27ac57361a0f084e3f7203

SHA512
ea767689b0f78e073646c7b44f4a1bee5c609f8475062d2e64e1f4310f8fbff595e50ba142b49e750787f71693256fb04727966d6b9e5a74b5048759060e32b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
82699de519da3831adf8b17f8e93584a

SHA1
18b525adc885a0c5757fca18188fa2c64f7f2f01

SHA256
6661c0bc3caee4d306fd156e3bc6a9bca6b6eaf938044727fe28b22545e4bf0f

SHA512
aed5469775c0528a159db9b9257b788dc6e989ecad438ac189dcff31d07b830801eb8c5a58057d55c9db3c083143d547abacc13306e2a9c40b46400a35ac697f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
7b93ceafd4d2601930e1b6f156edb109

SHA1
59b67978fe442913d2e5059840b203fc2ee14861

SHA256
fd8af4fe392e2aec36afac6daf68091fb608613158ac615151041d5fff6b3f83

SHA512
7d7e3c29a52e0de1c034cdffb2a96e2821ae7525ef421e86d4e5ece23d60472e72966095adef267000a6e33aab501c3c3226dd2fee07295192c726977719eb1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
636e66b48d36774f8841b092e765e611

SHA1
41f18348b511039b94f18546e844dd6929fd0eef

SHA256
8af367c3e5d893a14efbcf6cdd5a41108efa59da7379252b9ac9761ed12b86fc

SHA512
a2672eaf65d2b047199ebddf3333157b309f1ff1c0cda332bc2a4dd707cb286a532b465b4f8367ecf555b0b024a03cd6a3c14290e0d5838ce84da7d31ab90f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
765478d0bcb00361b7396697f63ddbcc

SHA1
0f26a5b92fc1af83865d7d126fd149ef6d944569

SHA256
d21a1850043f9f92c3da6985bc3a1063abf72cf8378a98d654b3008ca28ff903

SHA512
4fe105045dce785f1bb45250a0b2ee6df454a20ed17ddb15ce36b492a32ebcb5a9a6be217b5ebb4e72aefd068581ab9c21d03734506a45f8764ad09ad1869911

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vfugbfsb.v4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
25ee8db6d37fa76ab6aa015987a83208

SHA1
ab60135cadec5b367d9ad641a1179c1e4030abea

SHA256
ed6a4e1791093168e2c362913d577317dede82d60a14412f9d1ffe5358ab14ba

SHA512
60fefcef8030bd7c4a05b5bad1c0a0a31b9071391e780bf5c63f7e6350bc02fa46515cc14f320e55c79340c9bc6f1c579484e06ea87e796770d1ac203c17e0a2

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
e52e659e803446d4876f0cd159db58e0

SHA1
3f481b969ef32db706a773abb266f904400b35df

SHA256
27a5aa4f4dd632d76c9ae5eab035beadbe54a00f59aca84722c058220f4b9e40

SHA512
af0bf2948c2a2613eb67b433a756fc223184d2a690d077bf3cdaf8eb2a2337197998c97a8263121fd50bf8056bf90cb69357bf03637909811dcdedd2ba44d183

Download Submit
C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\BIN\gatherosstate.exe

Filesize
1.3MB

MD5
b13bc5b62f54607c334a6464d9b85cc8

SHA1
12721c69acbcb515f7adbee08ec42fc61192c187

SHA256
51791625054b01802fd5aaa6c4a929827b369dfef7b2891b5f55e0fa61af0c7d

SHA512
58a9c4e413992b8c225fd622934929382070cbe8c8999bdb93851a1f46a0129d674135eacce2b3f96a19dfbb7333e3b921b5e39b727339c9897de7a02d2ce3bf

Download Submit
C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\BIN\slc.dll

Filesize
6KB

MD5
e2840606372ab67b7107ce757d506c28

SHA1
87c1c645eba6d6a2aa695d4fd2ece5fc5e5568ef

SHA256
37e20a504ade965184d92ed5ca415cde899090a6a20ea3abf8c85ff9648b66f4

SHA512
cf7914a6a8c6d878caeb7f726f86fbdc77d2ea246d9ea600d82a0c66e4154ee0acdbd3ff5949523b35642735d741fde39d177e5d4aff83ea4475ef84e0188ab6

Download Submit
C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\BIN\slc.dll

Filesize
6KB

MD5
e2840606372ab67b7107ce757d506c28

SHA1
87c1c645eba6d6a2aa695d4fd2ece5fc5e5568ef

SHA256
37e20a504ade965184d92ed5ca415cde899090a6a20ea3abf8c85ff9648b66f4

SHA512
cf7914a6a8c6d878caeb7f726f86fbdc77d2ea246d9ea600d82a0c66e4154ee0acdbd3ff5949523b35642735d741fde39d177e5d4aff83ea4475ef84e0188ab6

Download Submit
C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\Windows 10 Digital License Activation Script.cmd

Filesize
25KB

MD5
b84b661e01657e59ba6e35606506a193

SHA1
8ceac0205d4756e1b1b3c78891c4bb41d60bd517

SHA256
06bfa4838b894c2cfc4e15304480931f9e5813a4dfa26b66db0284cabc0d21d4

SHA512
837a2a1826ed36bfddd1af7fb5a650045ce938634d00138c6c81b52c259f9ee1789d0a880338d064124cd2ec42795094b4e6254fc06ed195caac2b34d4e0d268

Download Submit
C:\Users\Admin\Desktop\Windows 10_11 Digital_License. SolucionesPc\bin\SLC.DLL

Filesize
6KB

MD5
e2840606372ab67b7107ce757d506c28

SHA1
87c1c645eba6d6a2aa695d4fd2ece5fc5e5568ef

SHA256
37e20a504ade965184d92ed5ca415cde899090a6a20ea3abf8c85ff9648b66f4

SHA512
cf7914a6a8c6d878caeb7f726f86fbdc77d2ea246d9ea600d82a0c66e4154ee0acdbd3ff5949523b35642735d741fde39d177e5d4aff83ea4475ef84e0188ab6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 84709.crdownload

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\Windows 10_11 Digital_License. SolucionesPc.rar

Filesize
765KB

MD5
937610a6c74377a9f6662bb151653080

SHA1
8986fb5ec6d4f4178c4654bedf8f9de59a52bd10

SHA256
514863b086028f71861670231319729ae3e3858c40338303363d5eb27399da91

SHA512
af0a785d38c8823e6167832eda11bce28eaa0fe6a452ef28d99ff3cdfdda3bfef4c6dcaeaf1f5de9ebfc2faed7ab8242fabe86e44a47bd12bb352713591fa8b1

Download Submit
C:\Users\Admin\Downloads\Windows 10_11 Digital_License. SolucionesPc.rar

Filesize
765KB

MD5
937610a6c74377a9f6662bb151653080

SHA1
8986fb5ec6d4f4178c4654bedf8f9de59a52bd10

SHA256
514863b086028f71861670231319729ae3e3858c40338303363d5eb27399da91

SHA512
af0a785d38c8823e6167832eda11bce28eaa0fe6a452ef28d99ff3cdfdda3bfef4c6dcaeaf1f5de9ebfc2faed7ab8242fabe86e44a47bd12bb352713591fa8b1

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621 (1).exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621 (1).exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
memory/236-1510-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/236-1504-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/236-1511-0x0000000063780000-0x0000000063798000-memory.dmp

Filesize
96KB

Download
memory/236-1509-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/236-1502-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/236-1503-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/1112-1514-0x0000022FE87D0000-0x0000022FE87E0000-memory.dmp

Filesize
64KB

Download
memory/1112-1518-0x0000022FE87D0000-0x0000022FE87E0000-memory.dmp

Filesize
64KB

Download
memory/1112-1515-0x0000022FE87D0000-0x0000022FE87E0000-memory.dmp

Filesize
64KB

Download
memory/4004-160-0x00007FF8DD6D0000-0x00007FF8DD6D1000-memory.dmp

Filesize
4KB

Download
memory/4632-144-0x0000011BE6E40000-0x0000011BE6E50000-memory.dmp

Filesize
64KB

Download
memory/4632-145-0x0000011BE6E40000-0x0000011BE6E50000-memory.dmp

Filesize
64KB

Download
memory/4632-142-0x0000011BE9B70000-0x0000011BE9B92000-memory.dmp

Filesize
136KB

Download
memory/4632-143-0x0000011BE6E40000-0x0000011BE6E50000-memory.dmp

Filesize
64KB

Download
memory/5368-471-0x00007FF8DE2B0000-0x00007FF8DE2B1000-memory.dmp

Filesize
4KB

Download
memory/5368-470-0x00007FF8DE1D0000-0x00007FF8DE1D1000-memory.dmp

Filesize
4KB

Download
memory/5676-1513-0x0000024138A30000-0x0000024138A40000-memory.dmp

Filesize
64KB

Download
memory/5676-1512-0x0000024138A30000-0x0000024138A40000-memory.dmp

Filesize
64KB

Download
memory/5676-1519-0x0000024138A30000-0x0000024138A40000-memory.dmp

Filesize
64KB

Download