Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 20:59
Static task
static1
Behavioral task
behavioral1
Sample
Script GUI [🔒 1515].rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Script GUI [🔒 1515].rar
Resource
win10v2004-20230220-en
General
-
Target
Script GUI [🔒 1515].rar
-
Size
3.3MB
-
MD5
dc44d9ac63fb3f7bc9ed4543a7bef843
-
SHA1
e5126b4fdd8b4b687270d59408f4e191843b0bd0
-
SHA256
87738c9f89b27de5d18545ef1a64f588674aab995c2fbcaf859e5795d225144e
-
SHA512
2bdd17eb62a87b88c37738fac75e652a6509b0610fc85b7dbae4c3c894c40e192c53b04c4f69705013c6a099e78d189c01bd01dcce3846f4f18e4f9c5f22961e
-
SSDEEP
49152:mQEEki7Or1xhuZ9LCbisGXhEaMtbBb6xP/80Yd8xWjSzfM31lgqiv0woKlDmx:rhOxxAIrEEaMFZ6xc0UIiSDAgqiFoK1k
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
https://technet.microsoft.com/en-us/library/security/ms14-064.aspx
http://rarlab.com/vuln_sfx_html2.htm
https://blake2.net
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-621.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation winrar-x64-621.exe -
Executes dropped EXE 2 IoCs
Processes:
winrar-x64-621.exeuninstall.exepid process 1492 winrar-x64-621.exe 2484 uninstall.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 62 IoCs
Processes:
winrar-x64-621.exesetup.exeuninstall.exedescription ioc process File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-621.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240595890 winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-621.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-621.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR winrar-x64-621.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-621.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\906da7e6-7ade-4ed9-8a77-b335f60eb584.tmp setup.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-621.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-621.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-621.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-621.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-621.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-621.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230401230030.pma setup.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-621.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-621.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-621.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-621.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-621.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-621.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r09 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r10 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r27 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 194131.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 4848 msedge.exe 4848 msedge.exe 1324 msedge.exe 1324 msedge.exe 532 identity_helper.exe 532 identity_helper.exe 4960 msedge.exe 4960 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe 4440 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3356 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
msedge.exepid process 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
OpenWith.exewinrar-x64-621.exepid process 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 3356 OpenWith.exe 1492 winrar-x64-621.exe 1492 winrar-x64-621.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1324 wrote to memory of 3316 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 3316 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1768 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 4848 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 4848 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe PID 1324 wrote to memory of 1100 1324 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Script GUI [🔒 1515].rar"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd72ce46f8,0x7ffd72ce4708,0x7ffd72ce47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6432 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7436 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7eaee5460,0x7ff7eaee5470,0x7ff7eaee54803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\winrar-x64-621.exe"C:\Users\Admin\Downloads\winrar-x64-621.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3928 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6549174731853502991,2547798701800610279,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd72ce46f8,0x7ffd72ce4708,0x7ffd72ce47182⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAR\Rar.txtFilesize
109KB
MD5e51d9ff73c65b76ccd7cd09aeea99c3c
SHA1d4789310e9b7a4628154f21af9803e88e89e9b1b
SHA2567456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd
SHA51257ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
103KB
MD54c88a040b31c4d144b44b0dc68fb2cc8
SHA1bf473f5a5d3d8be6e5870a398212450580f8b37b
SHA2566f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8
SHA512e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
317KB
MD5381eae01a2241b8a4738b3c64649fbc0
SHA1cc5944fde68ed622ebee2da9412534e5a44a7c9a
SHA256ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e
SHA512f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD546d15a70619d5e68415c8f22d5c81555
SHA112ec96e89b0fd38c469546042e30452b070e337f
SHA2562e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781
SHA51209446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aaeb1f5e097ab38083674077b84b8ed6
SHA17d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2
SHA2561654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef
SHA512130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD566bd607844a6eca629f773ae16747c9e
SHA1fb7e612784ede01484b63ae8ba15a221939fbdb0
SHA256bcf32d70f64948fd37b05cd73f7e1c8b796bdecbe3d5d78b9e8f0a5b6f69ad80
SHA5122aec45c5982f3abbb7c13893c914a24c2ba3e3cef0e974d7b9c6feec54bf30c3710efcaab98c6670d58965a83e1c8b1b8e1f8d1d8f0a030b2eded48e4275a1d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5660585d517bfa7c15ebd63f970588e9a
SHA1a8043172e88b27b3afa8c2af367d7913187d6e28
SHA2562eea98ae33c7f111d39cb649a62153472ce5d90b67f6726f2d4116eb2aae9f44
SHA51252d85375363a7409c34eba9a72d33343850f9c160ff52c5f4dfcef346aefa5da40da843acd33145432a369fea30272a9450d6553540324ddd77a57a8ea0e357a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD54a5193cf9228db24313e400311f789d0
SHA10a2781df2f2f4f705d2c11a4e11ba47fd094c503
SHA2567dcf0287fa9e75ed6e8f65cacb7237defdd41cbb8ebdad39a523ea774d28f82c
SHA512850231a76a0465e6cdf1343885019886da4752d93b6e20fa329215816b598d3375a9f324cd115da8feb4a142b3c3b4d6b1bbdb0d5f3a316a2202c43766c44a57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
938B
MD5e548cf80874c823a6187a6a8f477182e
SHA1d8d0001d28c0302a118696caf55db992244301fc
SHA25619ed7d43757b9ca9be694b3c54ae455a3924d591eee4a01c760e9d3afa75dda6
SHA5124f973a7fddfc43c170e684dd757d86b2762c93e1bd726f4ffca21fcb750e25de6d343b7c2a213b9d07e0e9fd1fe0dc675d2ba558f58c31f72504e4bae9478887
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5daccb6d8cc9eff5579b30dc8e17a345e
SHA1f88a28254078738161603c85dc80031c6b323070
SHA256f521417f04dcfb2ce4366f63209e22ce5623dfcb6dc6cd5ab540148e8ca93a48
SHA51245917d4952a9807f040cb113b3315d9ffa512bf60e8c4435fc8224bf3ea98b71990195b7a554278a6c26f4d6c1ae8ed7d88dba3d605f709a24fd0869aa27cfb5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58b830198ac5ea17519698ad6b66dcf90
SHA11b7ba38a61d4a326e1dae1d18114e32f7603bf10
SHA256904ee6401afb130eb55b15c6122fb7c007c8a82bbc01c81164eaa546ec04d867
SHA51252d725321dc9e0032947c1d3ee0031342ed1108497a9c6dfe7b0f1bbc823c5f15a7adc5a133885f88c0a0040b8782be61d8ef5d58a58896ea4e175a40eb2b5dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52569a472cd1835a98a108953f6fc15a7
SHA1c9533bc205c4effa6896ef963bbcbb99f41a2a02
SHA256af1980a592149cc23fa817ddc21ff43aaed7e778b92773fd1d8bbf8d2898768e
SHA5125e44f92f0f8e1047b7c5b010cd7be24abd00f4ddb779c3fd773dd0584e759d980f794285a149a3943fae548d154cd4659c8d0db119e680f8cde838176e0185f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af85829117e01145e9cf2e2ae78a1377
SHA1145f891e4181abb800e8fb4acd63d5ff4ae76f75
SHA256daa5179398f9bc2d4b6452782b6f5bc95f1980b8587805afc068bd97c4bb5936
SHA51242f29eb13ac77505fd9ecb54ed5a9135cae4fccd05a5c6889eb6df5fecbf3d96d6abb37706e1b796b9c11948aeb37c814544bfc39eddb9c10ab3e58b9b9a9f42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53f288adba9ccc3e4af23ad4638788a0a
SHA1fb8c1b850647dcb5daae576c40d8f711ebb254c6
SHA256404e207e76c1b167c0ed38229db5e634e52251cd9a091b2fa54a54a7783d0997
SHA512ccf3ea1a4c2fa569a85107cc6b5f404a767b10f9186b5e40d649ae5eb9d37c8e77ffa57bc41158e7bfbca826278c76c3ee335939f2cc27d5ef789d5723318e5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f4074ae05ce3d14230f57e5814da01d2
SHA1e417f08f04bef58b7d22f70c687faf337aa2ac8f
SHA256e6cdd13fcd687b244f76785f4b426d43f11d3d49242c6a2257c38a83195aea90
SHA51226f78acf0c0e763d9b5e91d50bf7bf293be8f9a878950e09f5cb1bdf133218a6b4571bf62b4ba7aa8f21bc67e02139b5c75352eef3fe564c4626b73e6a76b200
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56ed0c391c3c22ae15138b340c3f2cbf9
SHA13788dd184f51f2dfa4fb21e1aa97c1bb292a77fe
SHA25664111f377ec545f2519a23f787967fe265c29e01c9ede09aa80def440d0b9e72
SHA512d6e2200efec7a8af2650bc41167d498a836da8c5627649ce002318f2a0375d11c1ba22a5510161d67c0066f0df8e15a819550b4e86827cee6f677decde66a6e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cabff33736345016f3582d4c7af638ce
SHA1057aa92e1b1a51f26f30f79ffd8d6b41604ccdb9
SHA256fa0bcdd8ab6fce4ba8ed395356718027667efaf5e4965ebba37ee6a8f0fc6f3b
SHA51279d4adcf960d6c495b4e9fc2738a24d5664882afc9e5234d78ab840aa97e3195210f53eb2e649636fa90e893f7c63f83df1b575c7ed8a3c721e59b4a8ac61313
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD547e94a96372e6f095b8a3fd7edc48ec0
SHA1377b68f34e5964ca8be1b1b0c1507dd7f0e5f005
SHA25615c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e
SHA5125bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe570ee4.TMPFilesize
865B
MD50f76fcbab4844a778e7464088ffd2a94
SHA1ff480674be5d3219928dbcac990a85884210000b
SHA25623bcd4adc628c9e59b7e606e161f26ac5e6d549de13eb9a4d141bb294c5de124
SHA5124e8dfa7e45833ce4e98c15e49d1f28a2b50a7ec4e11bdd8aa97be958e5d1f310cc760f70e8d822c0ab14c8c381463fdd53e069049950b2dfb9508e75e4845e1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c67722cd-e687-401c-8f17-2866e8643193.tmpFilesize
1KB
MD500379334915e920e4fd348fff9ba70c0
SHA11029ede19988ba3d58421d4ee69ce8ce0257a706
SHA256066ac411c431c0965871e2c6ea21aa79dc17bd920ba54b6d62e93ce3317a1fd7
SHA5128fcc29618ab9381a1fe1324f174dd392297a40f60b30ff825655a0a99320b75605344d7d87dfb6473af8e8e9767be4124a36c032fec0f3f6d8e3f71c7f992c49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5005a029b863b68e7df6429443b62b037
SHA1904938e3e96b96dad05888a2e260fc9f6a76da09
SHA256037cac3cabeb62386864e32aef740f1317f6462dee2de5a8af6c5e9955e43fe6
SHA512e47b3a1373bdca8000ce46e81d8f2a2f342ac5d1603ad4cde8c7dc3ca4038450bf7519d87726d26567401da89043ec724bbe70d74a18359b41597c41b80824b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5d1426fa90504d788f7c803e2649e1530
SHA16a12d398124250ebee714bc014cc4bedb389496c
SHA2561d055567f622a06785c73935c83eaab63969e2f83d2e5a17242e8220455cbc47
SHA5128e66ea9f72942839629689cfdc31ccb685f0d12ed3ed7b03943172b63b9ef65153ddf22c71c61ad691946e8082a4190aea452bd0536f819bb1cf525f5a271cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c3c5dbd8fb6e7bf4f2365234ac1d6699
SHA1c05c8666b6ac2b53fae45a994b6ca4c3d4010fc1
SHA25661728e3eb7e96fb3749f207e3784291c48eb57ec62725b6e10458973d1bf8760
SHA512410d38834fe978098e6ad27834d9fe7c7cc5d00316c600ea728c02067718bc5490f24a315b74620dfefbcf494d16d6e5e07a685dd695440049b6a07d03a16f4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD503aeb7320dd61e4cc9aabdc960965aae
SHA1a53fe2b1a4cae3452f01b0eebe030c47cfdf8b51
SHA256ccbb8294c3beb6860949e67f2bce84a78c0de6aad3b45445ba30963271cff7d6
SHA512f7a026db5b8fa4a3746aab4dc3b33ce300d44956941a4ce2945969b6f01ae894890cf012832c5918cd778367e9b116ac869e27f211760b580daf14dee1d69701
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5d7d61d698331f7eedff2f8dda45b930b
SHA1e6bd30dc31e0fab8da3935e231765d8b28cb3063
SHA256e2fbc9ada22b453d65eff1f950686166546d5b620052a9444aca415cd6a548d4
SHA512ec8c34a826982680f14ab5402132fcdf6a9022503a0d8025ec3dff5ba0a4685198fb1f008eb5511df93246393b475db8c3d6259da574f9b58103ed690eb7f5d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD557fbdecb113d6520ff81c8f935db51a5
SHA10d418e750848867f7c533527423cd1e8fa8032f8
SHA2563f562bc951b3bb0bf19a8f71d8ff3b296e86c5a870f4b1669bec07f7017cf15b
SHA512079537da487c7a5f93375c261ae479e3810a7608533d8cad57d0f5eb9d5b5d81d318fc7adb6c973c48470aa50964a2de67450b3dd909bfb88e50bcc51d34c75d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5fccce8313a3e9cdc307ec774b3168611
SHA16d32b8c5fa71b5fb70dffd8de850913045e5f6e9
SHA256650b0eba17dcc10988296fc334cb636944b707cbb1c5dbf9092f32c5813f6e09
SHA51295890806483fe2e9324a38cad0c365878d21983558475ce50ce821985a316809d2441d858bcc5e9a6ade1e25d560ca6e13c6e74f45568f08c19696e876a1fb14
-
C:\Users\Admin\Downloads\Unconfirmed 194131.crdownloadFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
C:\Users\Admin\Downloads\winrar-x64-621.exeFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
C:\Users\Admin\Downloads\winrar-x64-621.exeFilesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
\??\pipe\LOCAL\crashpad_1324_ZHNOEAJKJBINZIXYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e