Resubmissions
31-03-2023 17:55
230331-whl5psde7y 1031-03-2023 17:48
230331-wdf3wsde4s 131-03-2023 17:47
230331-wc4gsscb74 131-03-2023 17:39
230331-v8eymsdd81 431-03-2023 16:18
230331-tsdvzabe59 4Analysis
-
max time kernel
333s -
max time network
324s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 17:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/6pwW0ZCR#ZDz57mbDtRrC4o2xQ1n78q2zMZQ_P2ZfAzmGqa15VSE
Resource
win10v2004-20230220-en
General
-
Target
https://mega.nz/file/6pwW0ZCR#ZDz57mbDtRrC4o2xQ1n78q2zMZQ_P2ZfAzmGqa15VSE
Malware Config
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
https://technet.microsoft.com/en-us/library/security/ms14-064.aspx
http://rarlab.com/vuln_sfx_html2.htm
https://blake2.net
Extracted
C:\Program Files\WinRAR\Rar.txt
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exe family_neshta C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exe family_neshta behavioral1/memory/848-1221-0x0000000000120000-0x0000000000C5E000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-621.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation winrar-x64-621.exe -
Executes dropped EXE 4 IoCs
Processes:
winrar-x64-621.exeuninstall.exeWinRAR.exeDangerous RAT 2020.exepid process 3132 winrar-x64-621.exe 4456 uninstall.exe 380 WinRAR.exe 848 Dangerous RAT 2020.exe -
Loads dropped DLL 5 IoCs
Processes:
Dangerous RAT 2020.exepid process 3144 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 62 IoCs
Processes:
winrar-x64-621.exeuninstall.exesetup.exedescription ioc process File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-621.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR winrar-x64-621.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-621.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-621.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-621.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-621.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230331195558.pma setup.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-621.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-621.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-621.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8c739fe5-46e1-411d-ac07-076b02cbd8d5.tmp setup.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240816312 winrar-x64-621.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2160 4388 WerFault.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lha uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r25 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tar uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cab uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r18 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 724068.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 2732 powershell.exe 2732 powershell.exe 4752 msedge.exe 4752 msedge.exe 3128 msedge.exe 3128 msedge.exe 2368 identity_helper.exe 2368 identity_helper.exe 4952 msedge.exe 4952 msedge.exe 4952 msedge.exe 4952 msedge.exe 1984 msedge.exe 1984 msedge.exe 3540 msedge.exe 3540 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeAUDIODG.EXEDangerous RAT 2020.exedescription pid process Token: SeDebugPrivilege 2732 powershell.exe Token: 33 3296 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3296 AUDIODG.EXE Token: SeDebugPrivilege 848 Dangerous RAT 2020.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
msedge.exeWinRAR.exeDangerous RAT 2020.exepid process 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 3128 msedge.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 380 WinRAR.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Dangerous RAT 2020.exepid process 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe 848 Dangerous RAT 2020.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
winrar-x64-621.exeuninstall.exepid process 3132 winrar-x64-621.exe 3132 winrar-x64-621.exe 3132 winrar-x64-621.exe 4456 uninstall.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3128 wrote to memory of 1432 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 1432 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2020 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 4752 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 4752 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe PID 3128 wrote to memory of 2876 3128 msedge.exe msedge.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://mega.nz/file/6pwW0ZCR#ZDz57mbDtRrC4o2xQ1n78q2zMZQ_P2ZfAzmGqa15VSE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://mega.nz/file/6pwW0ZCR#ZDz57mbDtRrC4o2xQ1n78q2zMZQ_P2ZfAzmGqa15VSE1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7c6946f8,0x7ffd7c694708,0x7ffd7c6947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff600355460,0x7ff600355470,0x7ff6003554803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4276 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3772 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5856 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=1732 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,6768535269332821363,221021690927926936,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\winrar-x64-621.exe"C:\Users\Admin\Downloads\winrar-x64-621.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 4388 -ip 43881⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4388 -s 17681⤵
- Program crash
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x408 0x2fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\Dangerous RAT 2020.rar" C:\Users\Admin\Downloads\1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exe"C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAR\Rar.txtFilesize
109KB
MD5e51d9ff73c65b76ccd7cd09aeea99c3c
SHA1d4789310e9b7a4628154f21af9803e88e89e9b1b
SHA2567456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd
SHA51257ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c
-
C:\Program Files\WinRAR\RarExt.dllFilesize
659KB
MD54f190f63e84c68d504ae198d25bf2b09
SHA156a26791df3d241ce96e1bb7dd527f6fecc6e231
SHA2563a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a
SHA512521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
103KB
MD54c88a040b31c4d144b44b0dc68fb2cc8
SHA1bf473f5a5d3d8be6e5870a398212450580f8b37b
SHA2566f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8
SHA512e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
317KB
MD5381eae01a2241b8a4738b3c64649fbc0
SHA1cc5944fde68ed622ebee2da9412534e5a44a7c9a
SHA256ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e
SHA512f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD546d15a70619d5e68415c8f22d5c81555
SHA112ec96e89b0fd38c469546042e30452b070e337f
SHA2562e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781
SHA51209446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD546d15a70619d5e68415c8f22d5c81555
SHA112ec96e89b0fd38c469546042e30452b070e337f
SHA2562e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781
SHA51209446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb
-
C:\Program Files\WinRAR\uninstall.exeFilesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5ea62d780fb52111d2905e896873f49e4
SHA13950ce17d9fcc7a6d8ddb4867925fd9fc05fe18d
SHA256262ee4dc8fb2b5a09775493141c1116485254470e9a64f32dedfbbcd7ff190ef
SHA5120bbb208d7b077e3d4f47a55c2351b4cc02c9fbebe32b29e3e238a8fdd56f2c4b96c4f5c80df6bba82bd0b9ebc2eccb1b4a20b46f7d4f81f21b27e4e3b7cca805
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD57b3721dab5bc5c0dd47bcaa114a71ad2
SHA158b3d68f33d358173c1667cf7b1cb6871e968c86
SHA2568f6aad560c798170961bd088ee817417b79773877d804e32b106c6f77c674e4f
SHA51237d144d13a00d4e31678e948f9608f89c5c6227c0a63730347db1a3f88f9efacdddcbc81577205c1b0e3f2ba71ec1f986a605b836b5956e899499430ae199b12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD517a070847734782a7215cc20f4006cfc
SHA1708ff400d899ca3871d87d012928f89ba953b86a
SHA25610c2c763d58b64e49098e3b8b3bc0f18d37250bdad39975d5db4dda72be5530b
SHA5126198b3dbe3f4c78fa2e5535e4873ce656a626f6310fc562e8c47b602f7164c217f08b0428550ae1ada21a5e68d87480942352c4748fbe17faedf971c699d64e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5be71ecb580ef1a463acd88f8aadc2176
SHA13809f1a2ef30761736408010af4870c2067b2a4c
SHA256c115dd80b51e73faf47f5e47733bb9383fdba42cd381b7e7eb788b459c609e0b
SHA512039bf774bf2498dfc5c4693f7c4fbf886a52bacbfda0074786bdbe99227d5da3c3ba8db49a78c00d48d4d8c6b3a1cc470b4321a0d78a9ccc8d49f7fd672952f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
188B
MD503da8e9f1c34251a6a9fc171f9972a58
SHA14817ec312c6bd1ce48635f652f4ea8d70a190987
SHA25608bfcc15479ee1cf404d6d0c9aa3a5a1eba16288f4e432b56b66861d88052451
SHA512d8df733d82c529cf321cb5ac9db4216b32b6b6904201207600fec3fcd26c92e550520335e02ff423747d3772ab672ad95528f8bc4a15bd70abf6421d6e0ac727
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1016B
MD59f66f046166712b892cb8342c83b80f7
SHA1b839d3bff48d8313cbe80900cd18184dea6b1e28
SHA25613812c2ef957b339491eead7bf52470b4f930978920152a58d998c69f2a7748e
SHA512fc3219a50da484213dbaf6e1238b81795ec8e7bf6ad894eee5e03e3fb573a43f97abf808e22b2a39ff6093f64b0112f6a21943b9c2924bd8d813f1e28512705f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5c2b5a4dc036796e2aeaff66440940d22
SHA17e8008b7df16806780fc1e90ba29702b1bb791e8
SHA2566a8686dbaf36e4fd0cd14cf5feed3263b743bd3003c274e40121fdce03353416
SHA51270c8c9a69f6eca44f6c08ad4201ff1741011a23ee1a0b3a23662051f5a05fc392702e32b44717b6b957e795ce104efda89f141d371cfcaadb414dac25c256de0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD599ef1e68948e20f96ef73b1aa868c7a1
SHA1ce13203cdad014a781c9454cea1eee4869068b17
SHA2564c4ce04086a2bae3f9aeab1efbd62c88f0442bac374d5526f1ee55bdac567299
SHA5120625389df311242812cdc41972bed00beae0792a18ba2a0c93b708ccadff420e021ed44053624f4b7b1f9cee89644aab792e2f6ea051fcb08c5d1bebc9721a3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD581410e5b1bbe4a2b80502a2b6e23382f
SHA10f78a7d817929b7474661e1801e8c8796d1250b6
SHA2569eaf39fa3262c4e3ae0a761eb75a38c753c8c0d9353b273aefa3baca57216772
SHA5129d5ffbfc68c10b2639e3eca3c81971e65e1169392d9fc14787efb3268d2f07a2c79c63bbf374071786cb24372d49e2e313998aa37591b0c051db778f1dc75d4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52d065eb51d4888b1b78643bc6e2385c1
SHA1b04c4e14becea282f055c3efc51edb3f28b68ac7
SHA256d55b0607bf2e7b2a464520014652d9074db03d12072bc431bbcf65a3bbd69fb0
SHA5127b00ae67e621b44aba79bbb9782ab0a00425b2265cec95fe87a516eb33b11bceb145762296e5fe81c60e6bf3cbabf794309181857385b13d8f8d0782631c476d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59e808c2025dd44ec810dbc7540b91f67
SHA1e195163d7f7b3bce4e1e522f1950db779e0d25bb
SHA2561e54f447b57e2dc2402c6b187141261a79c15a43f1e6d4be7147c003e5402f62
SHA512c161a66ff9d789ee79693799bae19fbef9350c248e0daeaa02e4f7600e69b86e16172384341f370ad77e75d7cc698b26a4666b81494de6700d9088f76da588bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a52612af95e95b7afad7cf958c773bd1
SHA1f80ae2449f695c0e3d44116b9ccee2ef8c895978
SHA256861c545ae08ddbf52a7de4a935869b27f0ca62f3c0e8ed14b2e2bb8afa5c7d5c
SHA512f9a7143c488eaea79175f4cb6e1856eceffdc5dfd2bb4bbf8085fd4f5540c1eafa3c039f311010026867fa0e5ac5754428078f4ab1edbf97fc20c9daf066b816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD57060e40eb95a78c64750cfc0cc44a44c
SHA15e14cd1bb61a6d479f520b4a0695070ab4f56573
SHA256ae176d90742988f6b6c66dbb9b666c36bd21e547f021bf5e63a74e270017dac3
SHA512bc5605b0786dbcc1d7a2f8dfdf0650e39f32c3a1e3e684f3808e71da207f03a947a7403fb6f8740d0adf7027dc6b5038ac9eb9a5ab4c8017fcaf809d812edecc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD516441e67033f5e1c41a685082ef5abc2
SHA1e4cae2a0e74652d8bb4395ba208265983149c08f
SHA2565df6f04621b3ad8f9a779716f0fcdc83679cafb540c445e6f541a8824cb6e24a
SHA51235afeeede50dc631969704f23e0e63d4cdb5ba5dc3aec1b99add8ea8a44ba37aea2db1435020b4d4fe58025e9caccfa7d8e0883a91869ea81bad23aa626b057e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
701B
MD5f6c9adfad279ad7de400d33fe888a2bb
SHA1ccc65d8b9c879f7091f787569520f86129cbb7fe
SHA25647ecab361ec470aad2a385d887568eb3cb170e755c83ccdedffb3a86be857a16
SHA5127e5d1e089ec770fa56a8417e909fe4aac5a35d2736066fb878f389212f39c09a3d8b285dda408c43d7d1dbf1058cd909bd403cb03182ee08029dcd91cdc7e225
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD524a30d7e33728cc04eaffaefde86c77f
SHA1408fc66c320f00d60f5136b36911878c2c7f50c6
SHA2568e93f10f559e113a1f7d1460bef7e4bea4bac99289862d941d6c5df3ed1a5375
SHA5125834c9036bbbddcff99bac83fe059e3e0069ade6282f36fb933335c1c187f5f904878df5a7a3a74946dc14bd4ad90f8b02fc791663cf894bd8ab3b6c092e6353
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b1f1.TMPFilesize
201B
MD5f597475d25b2641797b8523c705e974d
SHA142a3765e78d96520021940f0406fb80a3853d294
SHA2568c777a4d6f37a6be76139109843c7a79f0d524cff9eff8dfd2c883d978d2d7c2
SHA5127ec32cdae32613abd25e4375c42a5c4dd8f8bce125ff12c20c92bbe9f351709d52f3997986e98d273eb45940e86d25609a2e77ecd10da37b711d8710393526e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5e54aab8bcbcc6ff4d752410f073e6029
SHA1c1d660dd3266c87e16b026e704581a90c3a65787
SHA25664777a743a01dd173d0409438b52027cdb399d8876e29e561d89674ecbddc148
SHA5127b4fcc9d1c45f0d06416864313efdb64eb0358eb679cf26f0d7a3b39c662c9fc30a55c947fffb0a99ee28c6da46953634abe7cae897125f6a1f99b313a309d8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD54f33d55ad0078502f2b7a729b9ba40b2
SHA17672777f1096a8424c0e48b20c3b676d4b36809d
SHA2568a3c230d09c29b8c573b75a13b6a80854549c64374afe9d93c91e27328df90a4
SHA512b35192a17c595428b68a39a3ec2f9d53d62e3c75e4549ba8c77be3031bc13c85aaa86b28ca97b91cacc443da080808a5c80be30077d775cd5fc81fed19de5da4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD561376c4469b8c1317d982ee46983d530
SHA1754f5a6fd2dd87159f9df22adfece7c85fd80d23
SHA25669a52a607e2b1344125aa8002a7329475fd6d085a792eec7c463331e80198e51
SHA512ecdc5a8642562211b9918a1a140034fbfbbb552ee2cb7a2d0d86bfa3405b76abd456955c847adba76070375eb6ec14181170875bd21a71c98153937c5d628ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD58947e554a8bc3efb840b1795c03a74bf
SHA1f6daf73dd684f5203bc67b1fbe1d06814521f485
SHA2562dcc3da44ae40c41d8f2bed74a89e5e525bf4cf20c0dcc9688b23c9b18699562
SHA5129ebccb18368d1e1ce47920f3c930d71baf15690da867b6399bc978d9dc1335a991df8a4cad59d39f487719f6366834489d2f1190497fe39d071ef41a885b5789
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c63045402a15b89068801afb58df7ddd
SHA1619de407550cf6cc1f5279dacf56fa0ba7f79b1a
SHA2567cf369d8837e8e86a36952d36efd391f6bb7b326d7f13e4d0a6143b38a9f45fc
SHA512fe11d538af565ed712fe9c5259c6f9d2b66c2bddbf4ba7b69f39b4c5b987f9c1a98daa341b90098dab4e4c0e92be456d7965c99c623088feebb899de53d42d38
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m02ooy5s.veq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5f223f36e3e23117107acb043e1052a88
SHA1fb8e6366f563586581360c29b5713d8e106abfaf
SHA256d6205521aa59215cf8cedcba0b3389683d9181182d701ce7095cea0538bbf06a
SHA512655cf13560560c9ad22d22d2e67b06da280e47d8c32ab1f2f07775b787de4192721d568d72069858c49e6fb4f986ea2601f0536e5d7da51a2b9005781136fa02
-
C:\Users\Admin\Downloads\Dangerous RAT 2020.rarFilesize
32.6MB
MD5fabd4abe8547e7802525df618067085e
SHA1d37ea2f666688cc64f40cb894baf34baa35a35d5
SHA256fc31e62144b9d387158f8a875dcf17b65da5366f5fb9416c704952edb819f5a2
SHA5122156439e19fced1f936f6fca7b5674e47bbda41aeaedcdf7794a6ea9c2cd724006cbd16df23d4eef4fefeec3c819a898313a55d57cf965f2849b5474bb3492cb
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exeFilesize
11.2MB
MD5fb40ba1b494af4057ab259bba5f33fe6
SHA1b872393a07d3949947a41871132b736c00c771bb
SHA25640a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac
SHA512f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Dangerous RAT 2020.exeFilesize
11.2MB
MD5fb40ba1b494af4057ab259bba5f33fe6
SHA1b872393a07d3949947a41871132b736c00c771bb
SHA25640a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac
SHA512f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\GeoIP.datFilesize
1.2MB
MD5797b96cc417d0cde72e5c25d0898e95e
SHA18c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA2568a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA5129bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Mono.Cecil.dllFilesize
305KB
MD5851ec9d84343fbd089520d420348a902
SHA1f8e2a80130058e4db3cf569cf4297d07d05c93e0
SHA256cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
SHA5125e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Mono.Cecil.dllFilesize
305KB
MD5851ec9d84343fbd089520d420348a902
SHA1f8e2a80130058e4db3cf569cf4297d07d05c93e0
SHA256cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
SHA5125e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\Mono.Cecil.dllFilesize
305KB
MD5851ec9d84343fbd089520d420348a902
SHA1f8e2a80130058e4db3cf569cf4297d07d05c93e0
SHA256cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
SHA5125e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\WinMM.Net.dllFilesize
43KB
MD5d4b80052c7b4093e10ce1f40ce74f707
SHA12494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA25659e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA5123813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\WinMM.Net.dllFilesize
43KB
MD5d4b80052c7b4093e10ce1f40ce74f707
SHA12494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA25659e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA5123813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\WinMM.Net.dllFilesize
43KB
MD5d4b80052c7b4093e10ce1f40ce74f707
SHA12494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA25659e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA5123813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\adf.dllFilesize
17KB
MD5d1a3d0619a4f1c40ad0042ee0f37ce3e
SHA1bf86bf2d7ede77a29a75b257c4d1ead85b0d01b9
SHA2562c860ae1f6b9ad6f0fed907c268714cb2c2c7615d89f0733682014ec852bb3fe
SHA5123023603ebd8dd527787c94eaca844c8df422a02f3da6f51c66d417a5138903bfa283c48dc64e757a63343320a80a50cdd72abc6544f5cb2c1a750f5e06781030
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\an.dllFilesize
15KB
MD5b3c721c3314d2c20ba685e6b03601467
SHA18f1e158e5199394f9687f25e216213ee8172996d
SHA2563120498168f968b2e7a3f44ef09b9c2e99da6b3dd64b1728df20f873297b7431
SHA5127d71934d84a4d99d65ba03c2019632694a1bce76dc0ea95ca52db00070bfc660e66bd288b8d08928767222b74a4232cbc5019eef56952f6a522eb64ef8846eef
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\ant.dllFilesize
14KB
MD58854809c9c8f5feb776ed337761c0390
SHA11ed9deb4a774852b92cfd58d769c539c583a6ec1
SHA2564d962f32f94f83d52e193a191df6d0202d441773eba0969df4fcada62385baeb
SHA512d267cf32a009155648a8aa6e011465331d37c5a349e042a2099420824bb7128a38fbf87ee3d18df39cc6de2f3a97eb5fad4568bbcf430b32833e9f7ea1bb2905
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\anx.dllFilesize
20KB
MD544d692fbbdb6885457057ee5bd5d257b
SHA1b861d3dcba13aa578679f69a16d251c5b3b68a6d
SHA256f5e3a28d021745b4f3eb8e12f228fcba12bd01d668569f70d6c1aecd33a21777
SHA5125e06c1851dd17c884fccc2bb5da12dacda4df228c7fd1853df1b17c93420ae23edb727eddfad170598c9e1367ee41e40ba1cb7f66aef3bb634fceb4c38c0363b
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\cam.dllFilesize
63KB
MD5b138987ac5bce895cc46a787119cc55a
SHA1f5eb1acdbad658474dea24213f59b3c74affc766
SHA256c972c509ed126e4554dd4e7a473b51e8f904dde03375f240afb3017c1d8c0a19
SHA512951456d8c3bd9ce42eb9e557b9e55164d1bc8b9ba35b53e89a6a9fa4208e45c248f25a6da89446eea2189efae443d859dd909be1cf7efa8d1c124378972a18e7
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\ch.dllFilesize
170KB
MD5400380aa234b33a12834ac18e64d6c83
SHA1762eb5d628913c4bc77acd1005672b55a902234f
SHA25638a84a733525c40bf2eee20c47127c3cdab7aa79b4a5fb8568f069b445b7ca56
SHA51234385c48c48810ac2d456cffd58a0cd22bb62f8897dd73b9e5a36dfc62ef734ee22f2b6be4b5a30547dfee0200d6ea6d7f9b364d9265afde9bfea338e397c58b
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\cli.dllFilesize
15KB
MD539c44ad43461da2127dfbb978853c210
SHA1af5208fcc091d0168cfd2ad131cbc810d4062b73
SHA2568ee8407c076076b5bcd1a6f2f245a18aa5cfdbc16df19d69dc6375a0ec098533
SHA512f2ba948e4c1b383d0c47acb252f2eb1e04016eeee4db39ad1f36cf8d33124a99d3369ae26416f1afa2afe7540160467f7a826a323ee3b986e24e72c90f488a49
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\dc.dllFilesize
23KB
MD5a16dcbae0d7f2d40066e1528e9520ea3
SHA13c50db3271b099d69e49783c8d8c240ab19f371a
SHA2564fe2421b3b896dfb0c1e81f2f8a2b97a9776fba3f6cdd1f97595138cc10d7d66
SHA5126b368be2620624f9ba18555d927fe8f10d0aac9b0215cb35016f36d7599c825db212e9d9796389152d9bd017350cfb0ad7b1309696a2a3a868cb14bb7c78fcca
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\denc.dllFilesize
26KB
MD5ff33f235d1cc68cf0c98143b79a08d85
SHA18248efb61ce1bd4687cff5d141168a6f8a2f2782
SHA256c6bfc5f09172ad8b1054491b7282d1a74a717a073dd649caea17cdac4ae31f75
SHA5129e1e14eea3cbb80d5358c2df2c0714fa3563c1ec217f09c607755aa230c7dd0f53ebc2b7de6455be6dfa86a9a7462a50115bd5a6513bf4067dcc61821fcbe3ec
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\ex.dllFilesize
25KB
MD507a86a0343e7ea82368af2ed98006d83
SHA12d2294a38c329fb521df63ca6546c28a2a42ec3d
SHA256a1704d39d3e49d84f625a8d33f5c00a79f0edcdd95250f6a80bbab1ce1a4803a
SHA512f9e4ce15d81fb25ff5dd46b6c93e6c2366f710704418ed048b794370d2be375cccd2b41b4320b0ee6c2ba05f3d42bdf6e2eca03b08d21f1761d43575031c5419
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\fu.dllFilesize
19KB
MD5c0faa99e7e28353dad279ff0e854d655
SHA1687b9cdac410daa2841aa6dbd23eeaef65365c03
SHA2567030e2f8ad04554df38b04b9a9ba23b3f1f2cf917fbd31264b37706427429579
SHA512c12a3ac8e08224205ae6f803c5f5f3c71e051b3681a4280042c03bac436c95e8b08881ea4dbd58b7535632ee50f2c970e163207e2bb74d5b927cc4a5481eed86
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\hew.dllFilesize
88KB
MD5f92dfb5f8695a454f47b049f5f1c39a6
SHA1c2aea7ba05700a0f571a06f563c64ee60d394a78
SHA256bf33fdcdaf6fb31bff088f71dc9b114d40c5c878404034ebbccc0e773b3db224
SHA512bfab911d46b218f8992ff82aee9b01069713d6e48e4ca86cb578ee752ac6034137ab81840fd8ad7c5ce3580c01347d82beb2cd0dade9a791cce2f5b083cc806e
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\hrdp.dllFilesize
34KB
MD563b7754cdd0c16deb663ac879114e7e0
SHA125fe1ff4e43b32385f129693c02ab312044e69c9
SHA256f2a5d7cc8a9ca41efc60f8b2b7ac1a83f387b025b3b56b650262b3aaa13ddd0d
SHA5123d48f81e614b6a5e07c3da6f42a271babd1b4b6b139edf3c20c49e1de94f5a973ed0daf4be6f4b14bf803f56dff7934f437962ba32a688f5995214d3f48dd70b
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\inf.dllFilesize
25KB
MD517d4c3b276ca7c4ff96fb4e5f34114c9
SHA1e2e5b346716d702807f0997492a00993b5060f18
SHA256bc496a8992133034326dacdc491012b70c0c0e317767bbde676989795184f98b
SHA51216f583f70b1f4be707a0ceb06757d3ec62a8618b76428e211882a472b5d645ea79f8bf00c80f595f5a45bb51524fc13613d337242ac0f370e83cecfdd5e13179
-
C:\Users\Admin\Downloads\Dangerous RAT 2020\plugin\inff.dllFilesize
23KB
MD57694ce25f44724cbfc822fcdd10c49e0
SHA1b1d0b5a29d12bd7375dbba741bb2d265635019d0
SHA2569070f0838d279db7cb53d2532ba50704eb871c696b537cf1cb5bbcd14a73cc17
SHA51264364253f4bcca0c0f3a5179680c02cac35465f9d55b706bbf5d7573fd780a17e77935a3a71d43a618917792fb5ee8b3325458b9a8bfc9df3ea226928ef87a10
-
C:\Users\Admin\Downloads\Unconfirmed 724068.crdownloadFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
C:\Users\Admin\Downloads\winrar-x64-621.exeFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
C:\Users\Admin\Downloads\winrar-x64-621.exeFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
\??\pipe\LOCAL\crashpad_3128_XZNYMBMKIPCQPJNNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/848-1223-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/848-1229-0x0000000005B80000-0x0000000005B90000-memory.dmpFilesize
64KB
-
memory/848-1255-0x0000000005B80000-0x0000000005B90000-memory.dmpFilesize
64KB
-
memory/848-1221-0x0000000000120000-0x0000000000C5E000-memory.dmpFilesize
11.2MB
-
memory/848-1222-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/848-1236-0x0000000005B80000-0x0000000005B90000-memory.dmpFilesize
64KB
-
memory/848-1254-0x0000000005B80000-0x0000000005B90000-memory.dmpFilesize
64KB
-
memory/848-1253-0x0000000005B80000-0x0000000005B90000-memory.dmpFilesize
64KB
-
memory/848-1224-0x0000000005A40000-0x0000000005ADC000-memory.dmpFilesize
624KB
-
memory/848-1235-0x0000000007CE0000-0x0000000007CF2000-memory.dmpFilesize
72KB
-
memory/848-1228-0x0000000005B90000-0x0000000005BE2000-memory.dmpFilesize
328KB
-
memory/848-1231-0x0000000007D00000-0x0000000007D56000-memory.dmpFilesize
344KB
-
memory/848-1230-0x0000000007BD0000-0x0000000007BDA000-memory.dmpFilesize
40KB
-
memory/2732-143-0x0000017BC96C0000-0x0000017BC96D0000-memory.dmpFilesize
64KB
-
memory/2732-134-0x0000017BC95E0000-0x0000017BC9602000-memory.dmpFilesize
136KB
-
memory/2732-144-0x0000017BC96C0000-0x0000017BC96D0000-memory.dmpFilesize
64KB