37d6498e6575f42269d44c588a41f1457d5169f98e68b26b44712cfecfe27ccc

Resubmissions

15-03-2023 06:00

230315-gqjbfsbg99 10

15-03-2023 05:55

230315-gmffdsbg89 3

Analysis

max time kernel
518s
max time network
497s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exitlag.rar
Size

15.7MB
MD5

db5af2c6be52fdfc95ec6cfa28faa002
SHA1

3a875cf8b4f30a7e22cece899c21489e96bf785e
SHA256

37d6498e6575f42269d44c588a41f1457d5169f98e68b26b44712cfecfe27ccc
SHA512

5f92d62aefb7935ef48c79e8cc1f9c371174d6a59a4814c1f746c22f1f08d5673bca263e1244adad87d37c26186c5e80e3c05b1e8e2820d74faf655f1e30e540
SSDEEP

393216:nI0MfL/sZhjYMpGxxTLEyF7vCoWqi89/rFFtxKbw:nI43jGjTL3F7K8r9zFbxKc

Score

10^/10

discovery persistence ransomware spyware

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.21 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Emails

[email protected]

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.21 1. Both file and folder modification timestamps are restored when unpacking TAR and TAR based archives like tar.gz and tar.bz2. Previously only file modification timestamps were set for these archive formats. 2. Added decompression of .tar.zst archives with dictionary exceeding 128 MB. WinRAR 6.20 allowed such dictionary for .zst, but not for .tar.zst. 3. Switches -ed and -e+d are also supported by ZIP archives. Previously they worked only for RAR archives. 4. Bugs fixed: a) if unencrypted file was stored after encrypted in the same RAR archive and both files had been unpacked in the same extraction command, WinRAR 6.20 failed to unpack the unencrypted file; b) in some cases a wrong detailed reason of file open error could be displayed in the second line of open error message. Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gr

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

https://blake2.net

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	winrar-x64-621.exe

Executes dropped EXE 11 IoCs

pid	Process
3760	winrar-x64-621.exe
3304	uninstall.exe
1220	WinRAR.exe
732	WinRAR.exe
5052	Installer.exe
2892	Installer.exe
4584	Installer.exe
1840	Installer.exe
4512	Installer.exe
4148	Installer.exe
3020	Installer.exe

Loads dropped DLL 1 IoCs

pid	Process
3164	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 4152	5052	Installer.exe	146
PID 2892 set thread context of 2712	2892	Installer.exe	149
PID 4584 set thread context of 316	4584	Installer.exe	152
PID 1840 set thread context of 1492	1840	Installer.exe	156
PID 4512 set thread context of 216	4512	Installer.exe	159
PID 4148 set thread context of 3372	4148	Installer.exe	162
PID 3020 set thread context of 4616	3020	Installer.exe	165

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240872187	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\IESettingSync	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-621.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1220	vlc.exe
4396	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4152	AppLaunch.exe
4152	AppLaunch.exe
2712	AppLaunch.exe
2712	AppLaunch.exe
316	AppLaunch.exe
316	AppLaunch.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
1492	AppLaunch.exe
1492	AppLaunch.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4072	OpenWith.exe
1220	vlc.exe
4396	vlc.exe
2116	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	firefox.exe
Token: SeDebugPrivilege	5112	firefox.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	3304	uninstall.exe
Token: SeDebugPrivilege	4152	AppLaunch.exe
Token: SeDebugPrivilege	2712	AppLaunch.exe
Token: SeDebugPrivilege	316	AppLaunch.exe
Token: SeDebugPrivilege	2116	taskmgr.exe
Token: SeSystemProfilePrivilege	2116	taskmgr.exe
Token: SeCreateGlobalPrivilege	2116	taskmgr.exe
Token: SeDebugPrivilege	1492	AppLaunch.exe
Token: SeDebugPrivilege	216	AppLaunch.exe
Token: SeDebugPrivilege	3372	AppLaunch.exe
Token: SeDebugPrivilege	4616	AppLaunch.exe
Token: 33	2116	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2116	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
5112	firefox.exe
5112	firefox.exe
5112	firefox.exe
5112	firefox.exe
1220	WinRAR.exe
4396	vlc.exe
732	WinRAR.exe
732	WinRAR.exe
732	WinRAR.exe
732	WinRAR.exe
732	WinRAR.exe
732	WinRAR.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
1220	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
4396	vlc.exe
5112	firefox.exe
5112	firefox.exe
5112	firefox.exe
4396	vlc.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe
2116	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
1220	vlc.exe
4396	vlc.exe
5112	firefox.exe
5112	firefox.exe
5112	firefox.exe
5112	firefox.exe
3760	winrar-x64-621.exe
3760	winrar-x64-621.exe
3760	winrar-x64-621.exe
3304	uninstall.exe
1220	WinRAR.exe
1220	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 1220	4072	OpenWith.exe	92
PID 4072 wrote to memory of 1220	4072	OpenWith.exe	92
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 4768 wrote to memory of 5112	4768	firefox.exe	124
PID 5112 wrote to memory of 4540	5112	firefox.exe	125
PID 5112 wrote to memory of 4540	5112	firefox.exe	125
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 1532	5112	firefox.exe	126
PID 5112 wrote to memory of 3956	5112	firefox.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Exitlag.rar
1⤵
PID:1412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Exitlag.rar"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3980

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.0.418911610\450067973" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20812 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9eee24d-cd1b-420c-9896-c51c6121fb50} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 1920 1209597f258 gpu
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.1.1150939980\2066342301" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20848 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3193c5e5-413c-4c9d-874f-b73dde93efb7} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 2300 12087870a58 socket
    3⤵
    - Checks processor information in registry
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.2.2067337069\856399926" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3032 -prefsLen 20931 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8739c64d-2584-41a7-aaea-65db92e9163e} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 3048 12094869d58 tab
    3⤵
    PID:3956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.3.535575316\1572021169" -childID 2 -isForBrowser -prefsHandle 1080 -prefMapHandle 1084 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81e6b16c-e653-462c-be80-f6a76d1f4f4b} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 2468 12096a7ee58 tab
    3⤵
    PID:940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.4.990761525\1910546234" -childID 3 -isForBrowser -prefsHandle 1448 -prefMapHandle 3600 -prefsLen 26441 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82c70ca-58f2-4035-92bd-4e84cd7cfa27} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 3808 120998b7a58 tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.5.1846236378\233243392" -childID 4 -isForBrowser -prefsHandle 2836 -prefMapHandle 2800 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7bdb559-b754-4b15-9885-83b67bdd259b} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 4892 12096fc7c58 tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.6.1156814579\985307250" -childID 5 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b2c881d-0110-41a1-b198-092010b412d6} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 5080 12096fc7058 tab
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.7.1482751189\1372551894" -childID 6 -isForBrowser -prefsHandle 5364 -prefMapHandle 5080 -prefsLen 26500 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d805fd-3504-4efa-bc7e-5c12cf42e557} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 5376 12087830558 tab
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.8.427862461\1351391456" -childID 7 -isForBrowser -prefsHandle 5740 -prefMapHandle 5704 -prefsLen 26675 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6551ddc9-0608-4430-8254-349b48ad7645} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 5688 1209cd52d58 tab
    3⤵
    PID:3452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5112.9.641957266\1953523440" -childID 8 -isForBrowser -prefsHandle 6076 -prefMapHandle 6016 -prefsLen 26692 -prefMapSize 232645 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8dcada-661e-4107-a166-22e027e1fba9} 5112 "\\.\pipe\gecko-crash-server-pipe.5112" 6084 12096fc7658 tab
    3⤵
    PID:1344
- - C:\Users\Admin\Downloads\winrar-x64-621.exe
    "C:\Users\Admin\Downloads\winrar-x64-621.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:3760
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3304

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Exitlag.rar"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\Exitlag.rar" C:\Users\Admin\Desktop\Exitlag\
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:732

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4152

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3372

C:\Users\Admin\Desktop\Exitlag\Installer.exe
"C:\Users\Admin\Desktop\Exitlag\Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
e51d9ff73c65b76ccd7cd09aeea99c3c

SHA1
d4789310e9b7a4628154f21af9803e88e89e9b1b

SHA256
7456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd

SHA512
57ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c

Download Submit
C:\Program Files\WinRAR\RarExt.dll

Filesize
659KB

MD5
4f190f63e84c68d504ae198d25bf2b09

SHA1
56a26791df3d241ce96e1bb7dd527f6fecc6e231

SHA256
3a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a

SHA512
521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
4c88a040b31c4d144b44b0dc68fb2cc8

SHA1
bf473f5a5d3d8be6e5870a398212450580f8b37b

SHA256
6f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8

SHA512
e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
381eae01a2241b8a4738b3c64649fbc0

SHA1
cc5944fde68ed622ebee2da9412534e5a44a7c9a

SHA256
ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e

SHA512
f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
28246fc73104f5fe60c4f7a1d64041e3

SHA1
27aa85723ce153df5d5f1310fa14bce253010cde

SHA256
9946294069380b22015373e2434ea29297c97e96a24a2fb81a28cfd7fe2b781d

SHA512
49d16454d110d59866eb60474f2b93c7db6d5c4d485c43ad1b4059c1c5e23533532f19fe00193baed7355ece0025c677c825fac80712a259e1112c97f25d671d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jesyn8dv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
8e7b4d262708b9c7d5e4759dedd2dc14

SHA1
80ec075050b781e7ccb5de7d6cf8f39ee549ca8a

SHA256
7c678540f5b250abd4325908f9addd66148c7991ca2b488dc9a525e5b3e5cdd2

SHA512
16167ade14a075a7e80d6e45f3707556833c1b18d5bccf0b15d4c3102affeb2d039e148a348e44fb89402847c1af4747dffbc1b371c9772cc662636375b5c052

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\cookies.sqlite

Filesize
512KB

MD5
8a4efda7f33cb8c356269965384b224f

SHA1
d71dd4a5908ce1ed9a3fc5abda8d5db60219292e

SHA256
1668324f559d99d280abb717e73ad20b143179140123047685583604c1725220

SHA512
fec4eafe9f9bcbd37a6a6314ca4f8c69f6cb5f0f6d27fa09381294e3db76f78e6b38eeafd28fbe320b38220aa08b7a3b442054548b0d15f2eebda953856bb15b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
9763759c10016e0c77c3697f2cff1d75

SHA1
c96d0efc939b6afc183deb5490c5ad40242b70f3

SHA256
5d7e2749b9dc02a84cfff8086658f5c7846279f25592762ce7f125172a5e1d88

SHA512
d15d7288bb1b8773be849f07411dc376be20022bab478765b1f4024674b1bf808cc4fee803f5baa3bf5a36793ba178c8af3da451b4e8d735882d9c221ae01c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
8469da9db16dafa1c212d5eb9fc610ef

SHA1
4dda495669d9b09b337211c076e22124996bf2f6

SHA256
9385c8bca63a0e3723bce43ac6643780f88c3dea38be25a6f6d9bfa90c41f50b

SHA512
b390c88aa21c3e07dbc4febd50ee224bb478ef990e6c7826bdb9c5ed1dd5c3bc55c52731be0e0ca551c3e115e3577e82b1bb25780c8d888a01b5221851b42ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
f7fb43d935bc6340290869d96ff540ec

SHA1
9bab248db00545932b1b9d208b4869c3c9d5681f

SHA256
7b4658813da55b173f107a078c73c469094a98fe6fe992f0e0ba9c95282e436d

SHA512
758ebe403bf92a60e76d73676c196643afc7abda3e1bb8e26feacaf7e22531ed0d0f1abcfed6f5b76273dd4e6e5fb0479fe42199627174141d6802fbf79d4f02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs-1.js

Filesize
6KB

MD5
e2b6a6442f617553e47cdfe293af39e4

SHA1
a715c1231d65e288a51763a5d63622ad74f0d382

SHA256
4c241dcaf51e0e04da357bf61c191039e49f00338ec928c81561c1a957580f3b

SHA512
62fe3afad68b7a6bb1c9d3302f840526725d5141812275b77b92b39f04a103e94721daf730c4cab7af17a992cf7b36978ad41a3b5bb4accaedde8ab60d05075d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\prefs.js

Filesize
6KB

MD5
9971fa8fa89a208685d3e30835832fb5

SHA1
5d9972a3bdbd4c18b3648597d2fd9f9fd6e30300

SHA256
13417a67a65fecc73ad5acc94d17d8a6fac3b0a343daf12d1cd2d126b9198084

SHA512
02b107e0d9449fa2d4d3655a880fbdeea4477205fa6c21aaf641c3d358353aa437cf040ec842107f973253bef767e48b9a0267dea5ed2d331aa192ef540e3b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d62642790bbf4444e01b119fe2057e82

SHA1
8f058f14c33f1cdb8ba7b0936b98e450de920d7c

SHA256
cf5883590163fe62f20ff69e77b622e90a2145f48fa31437ec5c787a293df7aa

SHA512
9bcf427e4cb0e65d0fc080a9ab97332c84282c25d9a6b8150a31e9240b820f1b55962157fb01e70acb763429ddd8501f99ba18712e36724f3172f790cce3d793

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
eb717056b8904f1adbfa6e1ff44cddba

SHA1
02780a6cdd6edf35ad7daed2a21bf368292d3c29

SHA256
1fd5a19304c0082733b6a1c4441b6d58873f937e8834d46d03cadc93b85442b4

SHA512
3a0e6a0a6f43a1f0a1e241dc2d95f9ce3ee0d75dab935b1e7be7418a8f127fc86c7fac36ed7f30a64ef7f72a417920c707d8361f6f201a26c8f0d21f46e48cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
a1de57a494d085af84c375860f8d2d9f

SHA1
19acd583e310a9afbfdbf90af0c1f950ade71ea3

SHA256
80e284f6aed749bd681eb384fd5cdbb74ca451f330aef7ded14559443d6524c9

SHA512
a3bc3416cdefb740e5eb55fc0b2fc811ced86f9421e3145258fc46ccc81ce3b8a36f2a5a99c4f8e1d977a0d5e6b4e0e3aee79ba94c1cebfefdece46d8bdc3f50

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
c0d3ae3e2e277abcdd9d85350ef0df3c

SHA1
2e67dbe5c50eea0f118c2d5998eb4685f902ba1b

SHA256
2c062571c966e19bbc64a0d0d4e6c16e02566f246c659fc214f00ca79816e791

SHA512
6c928f85d4dc3fe2d16a8e46fc53912f840ef5666ce67a8f3250c7963c686178d5cd9924ea3e3edb486d34fa162c93d65fae25f332648c20aeefd51edbfc66cd

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp4396

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
84B

MD5
6f42593bb19d57dc47eb52b821cdb6c8

SHA1
cbf43a9a5c7a8d13c16087f37a55d7e7674fa840

SHA256
2eab00b641cf1e9008ec8980c4fea55a4fa47f9f319cab2a2508747853f84af1

SHA512
80b66776fa540f2c253df04e5f78d919d50ce5c9ac35ab51381ede78b2cdf02775e3be3403fd064af54cf0f649756985130ce9c9f26110a826e94452ad7e74f4

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Dr4396

Filesize
84B

MD5
6f42593bb19d57dc47eb52b821cdb6c8

SHA1
cbf43a9a5c7a8d13c16087f37a55d7e7674fa840

SHA256
2eab00b641cf1e9008ec8980c4fea55a4fa47f9f319cab2a2508747853f84af1

SHA512
80b66776fa540f2c253df04e5f78d919d50ce5c9ac35ab51381ede78b2cdf02775e3be3403fd064af54cf0f649756985130ce9c9f26110a826e94452ad7e74f4

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Desktop\Exitlag\Installer.exe

Filesize
358KB

MD5
dc58d57e15657e75c88fc138ec07f2ff

SHA1
44c88ee2cff1fe0d0011465a4a03f532c2f60441

SHA256
d9024a2e72e2e8fa7ed874763d8cfec931cacd4636f52cd4422a4ae30fa66272

SHA512
52abe25b98d136ed8e5d3d83834e224885c9f448dbe9c235daf1f987ce263c3456acd463967c573fd7866d70c89f4633e874eb11289c826aeadc4946b39fa9ec

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.UQqPyUA8.exe.part

Filesize
351KB

MD5
8d6937749eea10b0672ef2cd11371623

SHA1
ac36a72313715890d54ae4e81379a95c66199b08

SHA256
679e536a01fc8e1832f5986dd1ad663857371396f578df29c2b6bc5059795ba4

SHA512
96be973d7245c0ba4c8b84ff3891846a86bfb9db1777f2525a237845d5b995bc7b88089de10dccfb18a7c14d338a4425cfa5e5474530531421c261edd2edc6a1

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe

Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
memory/216-1902-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/316-1872-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/1220-148-0x00007FFB003F0000-0x00007FFB006A4000-memory.dmp

Filesize
2.7MB

Download
memory/1220-147-0x00007FFB01BD0000-0x00007FFB01C04000-memory.dmp

Filesize
208KB

Download
memory/1220-146-0x00007FF7992B0000-0x00007FF7993A8000-memory.dmp

Filesize
992KB

Download
memory/1220-150-0x00007FFAFE7E0000-0x00007FFAFE8F2000-memory.dmp

Filesize
1.1MB

Download
memory/1220-149-0x00007FFAFF140000-0x00007FFB001EB000-memory.dmp

Filesize
16.7MB

Download
memory/1492-1893-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2712-1864-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3372-1910-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4152-1844-0x0000000004910000-0x000000000494C000-memory.dmp

Filesize
240KB

Download
memory/4152-1840-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4152-1854-0x0000000005B10000-0x0000000005B60000-memory.dmp

Filesize
320KB

Download
memory/4152-1852-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/4152-1851-0x0000000006860000-0x0000000006D8C000-memory.dmp

Filesize
5.2MB

Download
memory/4152-1850-0x0000000005B60000-0x0000000005D22000-memory.dmp

Filesize
1.8MB

Download
memory/4152-1849-0x0000000005910000-0x0000000005986000-memory.dmp

Filesize
472KB

Download
memory/4152-1848-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/4152-1847-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/4152-1846-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/4152-1845-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4152-1843-0x00000000049E0000-0x0000000004AEA000-memory.dmp

Filesize
1.0MB

Download
memory/4152-1842-0x00000000048B0000-0x00000000048C2000-memory.dmp

Filesize
72KB

Download
memory/4152-1841-0x0000000004EB0000-0x00000000054C8000-memory.dmp

Filesize
6.1MB

Download
memory/4396-166-0x00007FFB11090000-0x00007FFB110AB000-memory.dmp

Filesize
108KB

Download
memory/4396-212-0x00007FFB01D60000-0x00007FFB01DB6000-memory.dmp

Filesize
344KB

Download
memory/4396-173-0x00007FFB10FA0000-0x00007FFB10FB1000-memory.dmp

Filesize
68KB

Download
memory/4396-167-0x00007FFB11070000-0x00007FFB11081000-memory.dmp

Filesize
68KB

Download
memory/4396-168-0x00007FFB11050000-0x00007FFB11068000-memory.dmp

Filesize
96KB

Download
memory/4396-170-0x00007FFB10CB0000-0x00007FFB10D17000-memory.dmp

Filesize
412KB

Download
memory/4396-169-0x00007FFB10FC0000-0x00007FFB10FF0000-memory.dmp

Filesize
192KB

Download
memory/4396-171-0x00007FFB02AD0000-0x00007FFB02B3F000-memory.dmp

Filesize
444KB

Download
memory/4396-174-0x00007FFAFFEE0000-0x00007FFB00058000-memory.dmp

Filesize
1.5MB

Download
memory/4396-175-0x00007FFB02200000-0x00007FFB02312000-memory.dmp

Filesize
1.1MB

Download
memory/4396-177-0x00007FFB108A0000-0x00007FFB108BD000-memory.dmp

Filesize
116KB

Download
memory/4396-216-0x00007FFB021D0000-0x00007FFB021F3000-memory.dmp

Filesize
140KB

Download
memory/4396-176-0x00007FFB109C0000-0x00007FFB109D7000-memory.dmp

Filesize
92KB

Download
memory/4396-178-0x00007FFB08340000-0x00007FFB08351000-memory.dmp

Filesize
68KB

Download
memory/4396-179-0x00007FFAFD040000-0x00007FFAFE0EB000-memory.dmp

Filesize
16.7MB

Download
memory/4396-207-0x00007FFB02200000-0x00007FFB02312000-memory.dmp

Filesize
1.1MB

Download
memory/4396-211-0x00007FFAFD040000-0x00007FFAFE0EB000-memory.dmp

Filesize
16.7MB

Download
memory/4396-172-0x00007FFB11030000-0x00007FFB11041000-memory.dmp

Filesize
68KB

Download
memory/4396-213-0x00007FFB02DE0000-0x00007FFB02E08000-memory.dmp

Filesize
160KB

Download
memory/4396-215-0x00007FFB07FC0000-0x00007FFB07FD7000-memory.dmp

Filesize
92KB

Download
memory/4396-164-0x00007FFB110D0000-0x00007FFB110E1000-memory.dmp

Filesize
68KB

Download
memory/4396-214-0x00007FFB02D50000-0x00007FFB02D74000-memory.dmp

Filesize
144KB

Download
memory/4396-165-0x00007FFB110B0000-0x00007FFB110C1000-memory.dmp

Filesize
68KB

Download
memory/4396-163-0x00007FFB110F0000-0x00007FFB11101000-memory.dmp

Filesize
68KB

Download
memory/4396-162-0x00007FFB11110000-0x00007FFB11128000-memory.dmp

Filesize
96KB

Download
memory/4396-161-0x00007FFB186B0000-0x00007FFB186D1000-memory.dmp

Filesize
132KB

Download
memory/4396-160-0x00007FFB15D50000-0x00007FFB15D8F000-memory.dmp

Filesize
252KB

Download
memory/4396-159-0x00007FFB00800000-0x00007FFB00A00000-memory.dmp

Filesize
2.0MB

Download
memory/4396-158-0x00007FFB18A00000-0x00007FFB18A11000-memory.dmp

Filesize
68KB

Download
memory/4396-157-0x00007FFB18A20000-0x00007FFB18A37000-memory.dmp

Filesize
92KB

Download
memory/4396-156-0x00007FFB18A40000-0x00007FFB18A58000-memory.dmp

Filesize
96KB

Download
memory/4396-155-0x00007FFB01790000-0x00007FFB01A44000-memory.dmp

Filesize
2.7MB

Download
memory/4396-154-0x00007FFB18A90000-0x00007FFB18AC4000-memory.dmp

Filesize
208KB

Download
memory/4396-153-0x00007FF7992B0000-0x00007FF7993A8000-memory.dmp

Filesize
992KB

Download
memory/4616-1918-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download