e3d0d3a78b0d5b1335575b4df498747e674624d3bd2b4c965b62b6f19fb424d0

Resubmissions

04/02/2024, 04:21

240204-ey6qlshed8 1

04/02/2024, 04:18

240204-ew52asheb3 8

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qrcp
Size

251KB
MD5

82f280693fe5a45cea0734889d52551b
SHA1

e0a9a33a92fc658cbfad5a20c1e5d9e344a984e2
SHA256

e3d0d3a78b0d5b1335575b4df498747e674624d3bd2b4c965b62b6f19fb424d0
SHA512

edb02899eee25620e9997437dc9e87c6491a0f477e073e78ecb0df77a63e14b79aeae70c1f58d3cf338b16eeb3dbd608a3687a930eace20e543f1c108b34faa8
SSDEEP

6144:XDuqJpfW9VSgE29xxspm0niivuz3f9OvZJT3CqbMrhryfA4n9PUtR74V6PaqubgW:BfW9VSgE29xxspm0niivuz3f9OvZJT3d

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1904	winrar-x64-624.exe
2196	uninstall.exe
3004	WinRAR.exe

Loads dropped DLL 12 IoCs

pid	Process
2952	firefox.exe
1376	Process not Found
1904	winrar-x64-624.exe
1376	Process not Found
2196	uninstall.exe
2196	uninstall.exe
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259465074	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-624.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-624.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-624.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WinRAR.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-624.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe
Token: SeDebugPrivilege	2196	uninstall.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
1904	winrar-x64-624.exe
1904	winrar-x64-624.exe
3004	WinRAR.exe
3004	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2840 wrote to memory of 2952	2840	firefox.exe	30
PID 2952 wrote to memory of 2668	2952	firefox.exe	31
PID 2952 wrote to memory of 2668	2952	firefox.exe	31
PID 2952 wrote to memory of 2668	2952	firefox.exe	31
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 2712	2952	firefox.exe	32
PID 2952 wrote to memory of 1556	2952	firefox.exe	33
PID 2952 wrote to memory of 1556	2952	firefox.exe	33
PID 2952 wrote to memory of 1556	2952	firefox.exe	33
PID 2952 wrote to memory of 1556	2952	firefox.exe	33
PID 2952 wrote to memory of 1556	2952	firefox.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\qrcp
1⤵
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.1554398532\2012465548" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20600 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14654ca8-ea43-4da2-a40d-d0bdcf75ced3} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1256 111d6258 gpu
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.1.740851682\1422949319" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20681 -prefMapSize 233275 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecf5308b-aa3b-491c-b9a6-c72df56c35e8} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1492 e70d58 socket
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.2.1866080316\1811585284" -childID 1 -isForBrowser -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20719 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8d74430-aeaa-4fae-86fc-565553ccd6b0} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2316 1afe9958 tab
    3⤵
    PID:1556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.3.1923191526\916942104" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5530dce-e1b6-4f25-861f-d8278a78d7c1} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2768 111d4a58 tab
    3⤵
    PID:2756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.4.1959639975\379339326" -childID 3 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 25956 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c7a1ce-a184-4ea6-beed-5de47ef26d33} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2936 e62e58 tab
    3⤵
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.5.1528999433\2097442761" -childID 4 -isForBrowser -prefsHandle 3784 -prefMapHandle 3772 -prefsLen 26212 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {197bca1b-7c66-427e-9423-a7c1e36d1bb1} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3796 1edad258 tab
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.6.1698554854\1554651051" -childID 5 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26212 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e577d1f-ef48-4fd0-b8ed-6b586d1dffeb} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3900 1edaf058 tab
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.7.1706558040\1740734960" -childID 6 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 26212 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b25cc3-e1f2-4f99-a346-b07d02d3a594} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3960 1edb0b58 tab
    3⤵
    PID:2308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.8.2023788414\754377921" -childID 7 -isForBrowser -prefsHandle 4188 -prefMapHandle 4196 -prefsLen 26546 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c12444-bf17-412e-96a7-3c539dccb754} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4112 21f3d858 tab
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.9.647222531\1361124355" -childID 8 -isForBrowser -prefsHandle 3868 -prefMapHandle 3860 -prefsLen 26811 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {599f7497-9ec8-439c-881e-b7f11a1abee7} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3852 1edaed58 tab
    3⤵
    PID:2940
- - C:\Users\Admin\Downloads\winrar-x64-624.exe
    "C:\Users\Admin\Downloads\winrar-x64-624.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1904
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.10.1720523283\1148701719" -childID 9 -isForBrowser -prefsHandle 4512 -prefMapHandle 3660 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae16910-e56b-44ef-b7ad-7aa7158def5d} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2532 1e334f58 tab
    3⤵
    PID:792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.11.1568736981\715588879" -childID 10 -isForBrowser -prefsHandle 4120 -prefMapHandle 3936 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73cbb1a7-b5f7-4879-838e-8cfcd3d67532} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3468 1e371658 tab
    3⤵
    PID:2648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.12.1769383716\1290860938" -childID 11 -isForBrowser -prefsHandle 4304 -prefMapHandle 4392 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {513444e1-38b6-469d-8e88-ec259e86ea9e} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4300 1f5c8a58 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.13.243592906\1730194055" -childID 12 -isForBrowser -prefsHandle 4040 -prefMapHandle 4164 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18d2cc3f-b9ab-4b54-9a42-14c642277d50} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2856 1f7ee958 tab
    3⤵
    PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.14.423498178\27634097" -childID 13 -isForBrowser -prefsHandle 2140 -prefMapHandle 2152 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3529348-a01f-4c8b-bc64-1dd276071686} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4796 e63e58 tab
    3⤵
    PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.15.1436695988\1360182007" -childID 14 -isForBrowser -prefsHandle 4244 -prefMapHandle 4180 -prefsLen 26851 -prefMapSize 233275 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7200ce9-0152-4e14-8578-e44c28c85dba} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4136 1e064758 tab
    3⤵
    PID:2572

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
b689a0cb8c288849febffafc2144576b

SHA1
4cba85fa8ac528c3ac0af6356cdb912a0ae4199b

SHA256
59334a8ffff612755a64a912389bc23fbc35933cf209f845bde34f055011b8a6

SHA512
63e3dcae9a5a7373b7f5fdd661ae624a27e8f72ca86cb1be91533575ae115cf874bc0785350f00e919694b36b4745e6fa581252ec0d8a9ba2a99cef20e26b247

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
328KB

MD5
b8d94e17f28faf0e6d99dcfcbcf28785

SHA1
5ecd661674923be538365f75691a57b99c746231

SHA256
3a48ac9e6fc1844139309344236ca27d51aa73179c56b3f5ae7244b677618f37

SHA512
98e84cb65d83da456c1613c2563b182cd74dbb13c9f6f5d283b95091b84c52b833db5ebc51e188e4510de504e016b69c770cbe83bc3ff5e7d973d6a0775c247b

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
429KB

MD5
8e1a194cdb986b277e44afbf419d0bd7

SHA1
c6a46bfb7e829fc710fbe668900a80efdff9c36e

SHA256
fd934c3b663679041b82c12d60b14c51060d8d04742612ed5f9cfa82cccf1d37

SHA512
3e64edeed5e50927e1c758e9788be5778af2ad3c52ee1cebf19dd020fe2378f2bf375f0a65bc87c3ffb4c3dc13133b4f9cd3f7d627310011e1325c1073634fa1

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
65KB

MD5
d3e5298c4b72dcfa2274c6dd4d8b56f0

SHA1
f4bc24d32fcb972fe27e09bb831485e427a0aa77

SHA256
ce63e7f7aea15adf1c2bf7f32f4ba6e73a81c16d87911a15d982c6f31773a31d

SHA512
a3a01056b2b80b0574d938f8686410d9cf84d35f58ffb8e48027aee26fae2419620bbb486fe347bdc236c3c30cf8d8f8cf540e12161eee5d5db8122e627b9da7

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
131KB

MD5
5a733aa787cc76e8d92435bc376eb7ee

SHA1
628c70b8400db67403ea36af304bc9bfcbc7a8ca

SHA256
9c8e0981087b8104b3bbdcf3982c4722732f44858145092611c8e9b511cd4440

SHA512
9ea8f1f0c0149011ed78941fae79bcbcb3ab3a2cad277e49bb6cdd8fbd18df834062c1973a3141da6108e6192457263bcb01c57366748d3f740610f75151c4c0

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
160KB

MD5
d3429f05041ab881ececa2bbb4535cc6

SHA1
7eecc34720ec97695840f40bb2d15591d2b83a89

SHA256
57ce079457b4fc499ac373d642e917653c519cd9ea3268d707f15e5353a16f63

SHA512
bda1b5e094f7026f89d05e04abdcdacc11757f309256f06b6d364733d48d79d1554ba79420567ad1d11361437cade76bde370c1b046ce7137e8f87d043992574

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.3MB

MD5
916913a9b039fc11c7cd848081f81c10

SHA1
39c3246a7138edfccfbd11ab2ef83d6ce7ab4a2e

SHA256
2c85e9238cdaa3885befab6d7f24ef656f48f7229a32160fb104cec00255635a

SHA512
b683c50e6b34c56094bca26c8c437f8694cca359680a38f79061305bd601934fae3c134802187154c113bc18669cd959e8453d28576fdac384ceed63c941f304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11cd4069a15dcdd9bb1f1a2d807e75b6

SHA1
725c78aff1ca1bd2aa3cba84d3ff3e055396e662

SHA256
0f9f0be865c92250199e0a4c6db5f9606315e00d41251700fb01a5084b559fa0

SHA512
d18e412f82a36c4a5db26f802c18e206e3411531c8023642136ad14377831dcbdd54166e05658c801c12094fd3d3678d42488a708e6ac1913c96344dccccf0b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ed7cde89cd4d4df4737c8f72ba1a5537

SHA1
c19a865b1596f031ee505928291b51c25057285d

SHA256
3eef2e6f4b499d6dd8963397ca844a7053299168652356995e327e43112741ad

SHA512
54f870f6a650f7f562ca022aceee494aabd84f30f61e05a6a887ad398d51f0d56f3c1785e8cabcff8ec5635051096a82dd7f95515dcbfeca4674f44f7c5679f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\19618

Filesize
15KB

MD5
de7f14f9cc261b6be61f1723e55b1616

SHA1
c6c38bec927da284767465901d855d5a77ba2976

SHA256
704df4bb43fa03df234338910ee401bdd04b8563af927887c67e04c09bccf1ca

SHA512
39e75869815916a0bf01ae17a1784c4fe4f65fd84748a2275493a8c95061d81e5ca46f429d0f8fc3620ecd48534ed8265a13e48951ce4c195d045add05d0780a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\26486

Filesize
21KB

MD5
c3d75f8965c97a02c7b2b4a1dc167a7b

SHA1
852c6859de0a31289188953fb3611fa2f49bcb48

SHA256
1dd51bf399fa5c1f6e5c34003ce16631609cea6ff54ed44da366d16dcfc03a52

SHA512
34e729ca5f605aac42d44883c34065f8a0af87ddc443895fdfca07ad89bd8b579c93c292d5a48b754b06a54fdb5566ad07c6a43f7916d7a1a777cfa33aab30c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\doomed\31111

Filesize
10KB

MD5
e2e8953c880cc6e961c1dadc9f379781

SHA1
fe9ce39ffddfb5c45e9b6711a9e6dcbedcef2ca4

SHA256
b247e6b26e1a2f19d2d052ea29568071c669c96e510182d104b9cac4dd6a2ca9

SHA512
4aa933bc168da496d5eda79746cd096170d09bbc675ed9151655c73c8d20a28260a7f4d7f3e43d33b3b911a938efde22dc991888ea5080393a0f9640bef2c989

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\04E7EBA40D7FD7317637A9111BC5467D9D51BEDA

Filesize
512KB

MD5
bc62fb9527466a38d0a15f2e5d57ddde

SHA1
0e892f4ed740890f3e7d0234e984d20c7dd22fa0

SHA256
902e886c62ffba643e43364b87814c3627576d772a9285bbf674dce536d3c07e

SHA512
42d66637f5dffacd8c5625d78c7d9cab329e1862364aa80ec0301cd1a263084df39325efe7c9e8ff3a4ab76ef506ab81c7aae551765601bbe892298dccfb247f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\B79673334992FD6EF4629D4266761471A897934B

Filesize
105KB

MD5
531e8bd739f5f0e19c79de58cee4379e

SHA1
e9f37bdec62f4eae3737b3cd3c68249104b18b08

SHA256
776d35bdf798c597a829457801820f16ddc3fcd848eb8a94cfc166f079dd7f86

SHA512
cb9203d990afd2f79fe0ed62e5d2fdae5760adfa8e2eabbe35cdcc5e6d03c6b2908e18b2b08f6584f4e2bba972bb79a92ec8822c2eaba0e53200f8059081cb04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\EEFE6F94EE3532D6DAED4D54CC20795BDF32F079

Filesize
359KB

MD5
8b4e67eaa224404c6e02627d1cd2500a

SHA1
4a091c6f63bdfb24805a861da60957996f4b9a0e

SHA256
eeffe1a74314ab75f1037fef4d1b3a247d5492337f79131fc6b9b40ee2d17cee

SHA512
e1af2dcbe53f07abd6fc24f468a9c2e0c2ea5e2016553ebff944b4e6b2dbe13946f1f894ab6598ddcc86596a04e53c0ad6d926a7a084a6b76e05f79e0d6bdc20

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lf4jobx9.default-release\cache2\entries\FB043D966C9626666CAE79A1F4807A11E5C9E79B

Filesize
666KB

MD5
1a730abe75a9c18d61f5d0099ae05bd8

SHA1
03511342209aed18954add0395cbc160374c676d

SHA256
ba5be665e0e6961803733f55dbbc0600c48f82eb4ddd6097f04112f89ace7e90

SHA512
bb533256d534a389f44634de0a1a498f3119910f12e7c0ca63d2ed684824e9707228e9a7c68afc3c35e031b2aa519c46a989e9fab78f4befacfc42188506a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4629.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
aa198d66d3b533b8b81680f05f6aca50

SHA1
11b0b820eb7448c03415f114b1a90753cb218c18

SHA256
c77c0443e79fd15f451227b59b527e993002f096810d60984341397e6faaa235

SHA512
466185c3cec8e0b0a8a05397f81005e853aec3e9edc13056622f23853b2c4b25f5d7dfb9f4aa49ee91a389f9aed250c29c28f235a14a7261c365b2ee9304c13c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\301b60bb-283b-4eaf-8c08-2f2c9ec0facf

Filesize
668B

MD5
74d53c350e14bcb2e5e28191c0727519

SHA1
2d0207c47f43fbb79a3ce2a3871fbb00f0d07674

SHA256
84657c21129be908e62d55951c82a8246b4693db393a508e64f0a9dcd0f02bdf

SHA512
dcbd5f5a31f11d0c7bf7ae08027d8ba7cfa54de8fc1ad09eadb4ac31d4376e4d4d0c6ff85b9b6ca5e33e3b79380b1bb8be96e12452a745c7340b00e688691160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\datareporting\glean\pending_pings\89879fb3-e528-4ad5-85f4-abf360230b87

Filesize
10KB

MD5
807482be2a124256f176d76ea2fe026a

SHA1
baac5943428b2002137329d97f044aee0be3a2b7

SHA256
67d3f53e160a93697ecef22eb6df254dc7a29625ca76381aff7bbb28163a41d1

SHA512
aa6f6f1350e76a0d7252aa8b1e30bf68ec373b4ed8281ac5d29f3bd23fe71807d56c8becee5121e895d716b8aaa9380ed8d40146ba8ec69f69787111434296b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs-1.js

Filesize
6KB

MD5
94edbcb686f1bc22eb54a210027138e5

SHA1
c23ef2295893281ab43bc70e1a4259223c630c8a

SHA256
11ebfa385e48ea157da40570c9061dfeb4e3b49a1a542dabe519b7c4f85620b3

SHA512
4b59ad39514fb5b7df37a72f8b5ec90fe4d1bdb99de1ac9c9b8ddee2e430ba2ba61395df312e9c51e71fe46bf8544b735d4afb1f989d02a65784ae747eef6dab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e5402e7e934dbdc5898f24e8e6b14d6d

SHA1
2553a96340edfdb0c0a89589ae7c0bdcda778bee

SHA256
a74bc4a7692c6f72e1cc53d882179462da148eb8ad18ecae024df3063b501c27

SHA512
58d67d421356c3f9bf82707047e8e729b90732c49d6c173ab09a975f25da4c0f09e8b16f293af78f6210608294ac9fd4fc0dabee551baee57a8a7a9364525e04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c886053edd374c3b54c264df3e2f7234

SHA1
0dc7f33a5be1e58836ef51e2505204152b8bba3a

SHA256
023e3ae616482e0c5f983ae09cc6b6fd4c549ae1aae4442b039a574f6e9c7271

SHA512
6b1ca83fcb90994e298c5316445769a70affd3bfd8670f8c40053d822d54fa8ac7518aa7b38f6128878bb28b82d6ee8204da7560322762273cd8fe1400d484be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
6ef6f424fc660dbf662e17c484eb5799

SHA1
38a28e9f9615bf658d48d7bef4497f871cdc0835

SHA256
ffa4021e79d964f4f7ecde64dbbb416e891f3d5d75f20ea79f79840c481c1c5b

SHA512
3b5894b5a7d30503dbdaa71f38f0503c782c9a4947f089a4b770e3dd62977ce81df5be02b8db68e8c350052b4b952ed43b1483d8a9edf3296050c9b594e52e34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d16b72eba856dea976c549ee2f89e5ee

SHA1
95d146359b5c68bd89f3e960cd540ac05241f7a6

SHA256
897a5255e167ae8864cabf2414d71149dbec3290d9d2273d45db3027f95d07bf

SHA512
ebb556c581e042ed834613ea41a7971196601b0d4c52004d09ec6d11363a9ce6c707d08ef98783810fe869c55a884cbc640f38ee87c1878c54aa927dd72060a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
678d28e76cb5979806423601f507ebd5

SHA1
6526e150cf63b3f436c1367d048321544b21fe81

SHA256
cfa3e22f13f895c7bac3cdb975f5ee1a66881d1802650bdf86374da58b8533b4

SHA512
ae1d1ff9e96f72cf469fa1e7529cb8c1d337995fdd92bcf046cdd0e2b0fdd9b6ac5e3916d4346834fead68159c442b3a13fbc313edae9c1a78df8aadef94625d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
d8ae88214583e7ff6306dab604d8ca29

SHA1
a2c6e650618238515a9cf51bab4f26d4b47b6fc8

SHA256
c13434d1b306341f5d7db18299f0cfa799f7ac150c438531071d9dcce6b75223

SHA512
c563a0d219f8919ef10368fd9fd06cf72ba7a321319f995d86e255baf62115ccd85b0b8052fbcecf868a3222d10720cc8d4b2a47a4e974a65e36501bf841a1eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
ace65b341d8580d8f9e61cecc5fe29f4

SHA1
8c8daae9e18de9686f31591a6f7fe7f6bde77021

SHA256
4bf01a3d5132a4e2a012fb917f7fbe7413e857f6018e8a7ab32dad20470113ee

SHA512
07178589808808cc6ee8b441708acae55edb9327f5e9576549cc3c96a4169a725d9b317034e54ec5de5d50b6203c8cad25fed8c28c9aef8fc2e6485c9db7f5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e2bb46e04bcf31b3661ede40f7249c7b

SHA1
60dd43c44bde31893b8c13d6ad990768bb7c8270

SHA256
02f6ecbfb4fa1c208210437d252911fafcfe9bc8342d34276ab9a957182bc0e0

SHA512
15e01607869ac99927e7661e7d49b2ea80ae8f428e300d1d291d6db8ba2e12d83668d51f100cba7f0923eeaf8b906fcc1513f90dd0374d98e5059035df61d1ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
bcf001e9787ac053b43282451d91bd8f

SHA1
84108ddf7d3a87ce2d21c47f76d852ddf1ce236e

SHA256
32d09bba77c515fb180444f7939aa80ee153aca2f0cd5e9241fa6d3502188ea6

SHA512
3ecfa3e66a4356edb09506728aa7dc4bd8ebb23f64b98e06382d5d6decb4400330938e89d83a9c2fcff768af29899b021f4134de8a53277f91e368f49f380d3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
87efb50ce0e5dd60def6419e1e1b8c41

SHA1
7ef5158afe4ca16c34406179b896ea9a727ebbe4

SHA256
e5d9f0f0236e67c4c210167e6fa94461c2f45fa87b78d19a26c24cd1f8bc77c5

SHA512
580381478435b69faa3d8a2d422021f132dd06e587f9b4307ee187b7e34d528d800cda252c0e8cfe9a59cecb78ddfbba8347dc092cac7d9cbc5164d7c1c10c17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
160KB

MD5
cbc519864d1f8ff1ce3cc7f2e191d80e

SHA1
6dd3646f96fe8d5c851e1f41711818db59209bb4

SHA256
666d310a756cd3e12a5dea050e86453e7abcb7bf40e6cb044b23f06cbb195a2c

SHA512
bec4e98556c8d0c7ee14dec12ee4f38203ea3bbc420c58ba89f11dccd11e1e17c5ef2addadc3c96d7452553862c32da4ce0717fa51ea3bb60e1577637a63a7ed

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.Bk_VCONR.exe.part

Filesize
1.6MB

MD5
695922da8ad0c305e44cddb40b30b477

SHA1
d35664f1e228f1bd6a7367cafa165e2b4008a4d4

SHA256
be79b20349ee2f1ff9a2bbf6938e6c19740bc2106adb2c5e0e9dd3ce04eaf590

SHA512
af6fa78210b0bbd573d7433e71f0f0526f7e4e3c89592dff22773d0eff56a36da7aaec71ec7fec4a9f7cc575feb8aa3e83292a52db8a35f1c1ec0c106f065f97

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
340KB

MD5
93c28404a86ffa1fa2f052801c66a2e8

SHA1
5b00355378550353b8d0a9b3febd78ba07b0f22e

SHA256
f55f399f6fd9d17ab0569566b82ac4dc74eb99762ef089c9690ba06215215d5f

SHA512
670416b412a3d28d0d3cba93dd499fb5d595969d4192e5ba22e3003b42b95da10d86f1516e8d3f06aae9677db2a8196a96ed2a83647dd215e6ffda2be1c68783

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
306KB

MD5
b7d87c03bf4063278598e886ec271ee1

SHA1
61e8b93e16298bfb56e7a5f2cc2bd5ecada51b8e

SHA256
a3a0acfa383435c97468ee33704ce62ff0fc4ba1b07aa1fffadfb4153eedafc3

SHA512
72ecc29cc581182a2bf5a16523323f22d467fa1e7f99955ad792899ac00175cce4bdeb7c5e7fd327e8c4b511b87ad238195b3419ed1f435c1651b7a589476326

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
265KB

MD5
fe0f56f275427d00268b6d5b604ed9c3

SHA1
f1e8e40e0c402b2d129d463701e2afd563d70bed

SHA256
04514fddef118087cbeb66a037868df0dd1207406d573002697a82b445612068

SHA512
1d36e72c462211acc9ce7fa76b3476f0bc9774a80816a0e57159d533eedb1f4ae89ff0c2dc560ff59e980d3c9dd4eb3a1ed58c013a032c949d613a405cd99a53

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
412KB

MD5
c60feaca07b4c104910df69ab3ab65d2

SHA1
a878568ea7805ac5553d85789e92ce49ff2642f4

SHA256
228a69eda50a851fd99e88c1cd3fe699e7c08f9c7323d5c48d7809e030650f1c

SHA512
0c1ca443ecfb0bca76d585a7918bc93a3e602793f00578d4e88c8112fd54800712e4fe292b26ede0e8bda4c3da863f281c98bbd50f86bf2ebc07b87f0adbf41d

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
98KB

MD5
31834ba4fa40188a130276a9beafd4be

SHA1
ace44288a24af6ac4bde10bb5fe74a7decae72f7

SHA256
a37642efb258b8c87d7a2ebdac0a3e7c0518ab19d40ceda009d4cebf621a4029

SHA512
75c4f335d1caa0e6ead5beb04fffd83696487403e061beadbf7dd75e9aaaa19dac4d64f58252021658285f3c03235fd5d193cd69c22d848d24828e017fd15f43

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
136KB

MD5
db08237badb1f9185d85845159c4a149

SHA1
7d1a660af5f138ced215ab588e2bbf9833540718

SHA256
75bcb887795c0bdc3d8fc52462e15d3b9b5b984ddd6f28f38ed703da98202e45

SHA512
7290cfb793d14e48e7277852fb532265c0ba1d8f0412bb1d5336013d3c20d4b2950a8980c7a6636aaa24eed3f44609c86e1bef6c8bd66689c289bf2160dc1ed7

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
96KB

MD5
f6fab72df94a1fb86ad52498fc673efa

SHA1
f6c84c1314a672d645bb793f464db72a886b96db

SHA256
8e052cad9e9fed8831027cf64e7968fe28bfdc719dfdb89606086d0186106f29

SHA512
0584a7cd25616a9493997b026293ac2876693b88305afde33a265c45732c0aec549f357fe7880c688c89b1c768ea6663d59109a354e7707db918961bef0239af

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
285KB

MD5
535bcd147e5eda3abe23366450e10962

SHA1
6ef61bb04a34fed4a6c95e5e2ecf3a9861e3ea38

SHA256
e6ce427f6902994475098d6d26f6f6368f05957c23c02afe7d8451ee1fba590a

SHA512
131673350528963436f38ed0927f6ef7b976c7151725c92f36a1706940761c5944a76eba52f4e8f6b6c5f04405b687f3d9483f3a0932ec3446b86417f64b568c

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
523KB

MD5
ad0c0e846d4582567627f4ee5b0c6db8

SHA1
aa342e21ad9d3ab2b91d469a3c8beea3a6830493

SHA256
dcc5e3e0519eb1ee2ec85cf9947b718f00248cc37978d49ecaf0342aec446f98

SHA512
045f71f301193af1ccf322c48a3d50ed652691d267d33b8d4189b1ff501d3f7aa20b9959c706b456cd967e1aa3296a449bd07fc33908020a6f602823c23cb24c

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
418KB

MD5
41a1f8b28a4aa9ffee0d85d4380b2bef

SHA1
4105114493fd0c9c6eee57032e98336bd92b6beb

SHA256
dc8fd86578f3d9d480c838ee1292ece54f19ad21e8311676eb2a65207cd5d61f

SHA512
e7294e79d364492f4710d47538121031110a680287eeb9b6f23f9d0644a053d99bc8f0973c31a2d01ead2feed7b7c1a8d696bb301a3ef6df68d19c7f3be3aa2d

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
928b05a72bdc940c450f059902691501

SHA1
7931b85054c29be4cc3c9250a5dc4a821a446040

SHA256
0d068a6aa2df88613e1c5c7ba412a5a5bc3cadc3f3ab4b76d10035ba8eec27bf

SHA512
de47b4f9065bec41671f17f0fdd33d324e9204f323fea863774952ceaa05f17106c46ddc118c15a2fdb75d1313b6cc91b430357fa3a11d13355869507d075788

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
2aca26db4be9dcf971083b162e6506ae

SHA1
897bbb8d4dbd8731c4280d14bc10dde5635e3b8b

SHA256
a429e6d16178aa161f51380e97eb4a95e7b4a37b5c5e0ad42905a029f78a46dc

SHA512
eda852567f5e4ed65fd75cd2903f6965aa16970d8bd27648cf898a4302f326f2c64c663fa21a5ac5fe5906b031349d80dfe5c3e0ab018cd47b4390eab3f7127d

Download Submit
\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
461KB

MD5
23c8f46782175e4fd57960c2e4be1161

SHA1
dd4af0e43c5ecbbe84c929e39f1f589904dce1dd

SHA256
193a94cbe0fc47059a06d54a918588dd0da5aff871a86f3814b74c3b8bd10916

SHA512
7a30ddec62811b4015773bbf8db4779ae4389a3e03dd4102acff8eb0849547910177f072627353975812d5d1e173ff61589e03d715b81ec229265d93e37de4e4

Download Submit
\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
22KB

MD5
9972f7367d3d68559a5a9f986b0407f4

SHA1
43877232d5087852c8bc8e039d9458dcc6e89bd3

SHA256
cac0304b33de447ac004ca0df99f24dcdcdd38ae45502edaa3a7512dae1c774d

SHA512
4b3e2d4cc75a74d72703524448761b7fab2aa1609f9d6dc871eaaa30aedaa412e0ac4c741d6934ad734dea24a4f42ee19ce3d5332f137623a36648d02fa5b664

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads