hxxps://drive[.]google[.]com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download

Analysis

max time kernel
128s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
3964	Ninite WinRAR Installer.exe
3672	Ninite.exe
452	target.exe
4860	uninstall.exe
4304	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	target.exe
File created	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\Rar.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File created	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\WinRAR\License.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR	target.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\7zxa.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	target.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240703796	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	target.exe
File created	C:\Program Files\WinRAR\Default32.SFX	target.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	target.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File created	C:\Program Files\WinRAR\Zip.SFX	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File created	C:\Program Files\WinRAR\Rar.exe	target.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	target.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File created	C:\Program Files\WinRAR\Resources.pri	target.exe
File created	C:\Program Files\WinRAR\Default.SFX	target.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	target.exe
File created	C:\Program Files\WinRAR\Order.htm	target.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	target.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite WinRAR Installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1"	Ninite.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699660402408595"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface	Ninite.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3672	Ninite.exe
3672	Ninite.exe
3244	chrome.exe
3244	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4304	WinRAR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
4304	WinRAR.exe
3244	chrome.exe
4304	WinRAR.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4860	uninstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4900	3244	chrome.exe	71
PID 3244 wrote to memory of 4900	3244	chrome.exe	71
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 4268	3244	chrome.exe	73
PID 3244 wrote to memory of 3100	3244	chrome.exe	74
PID 3244 wrote to memory of 3100	3244	chrome.exe	74
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75
PID 3244 wrote to memory of 4404	3244	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?id=1BBxQR1RioqaoNT1LBGJA99dWohXhm-Cj&export=download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8729f9758,0x7ff8729f9768,0x7ff8729f9778
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3816 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1596 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3216 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1816 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5504 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
  "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\58422962-6b15-11ef-9650-521b4fa5e422\Ninite.exe
    Ninite.exe "4c849ba6e3f4deda7ba805f4134e462d8337e7e8" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\5B8D81~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\5B8D81~1\target.exe" /S
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:452
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:960
    - - C:\Program Files\WinRAR\uninstall.exe
        
        "C:\Program Files\WinRAR\uninstall.exe" /setup
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1864,i,4171364174938547785,5456928585154327099,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MLG.rar"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
0d76233931dfa993fd9b546bd5229976

SHA1
ce8de59e2277e9003f3a9c96260ce099ca7cda6c

SHA256
648a5d7064cdf2a86f465ea6b318d0b1ceac905f77c438dac2778a001b50647c

SHA512
dd7b6bd5545c60e9ce21fbde35f20d8807bdaf9e4408321f7f709c9324c719f1a9f68648260cfeb7e5f94f4eabc631dd95e348e55d93b32ea12e899d030b91ee

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
477KB

MD5
d36be447f422abc82276af9cb2f2741b

SHA1
f3ba2f58a88086f1b420a7520a5439a9eb851b79

SHA256
82a495858708b726f26cb86e2fbab8df86b9008a671be4c1f6c4f24ed3013735

SHA512
b9f5ffe578185b2f112d0bba21fdd6677d64986445ff971e9f6e8aa87a4684c0722b97a473150aff2742929fcaa79f6e336bd05d462bbdce149d634eb2f2d3d0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk

Filesize
1KB

MD5
1a69b3d7f51d098b45dab11fe0ea3afb

SHA1
c061f518681500fe0f45ec7c0bfa7f0f7af757ab

SHA256
61eddbd0466980ccdbd3d14d7e9b34a3cb07b43f3e5e56038b4081e473b6434c

SHA512
7a4b929aa95d2ae096f4a5ee9c9636cdba9a4b891e5d8a28803ea2f7bf1346cb0605ff0d8f9990ff9a463aea6526bc69ccaf1335f6ebae9b0d5386afdd81d975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
80232acf2a1797839968b6f94c5a1532

SHA1
a79596db0899de31ddbcde27e14a32209c7836bd

SHA256
9859e687378e43ebaca50bf4b7d577a54a9e858a56310df1f218762227b9ccc8

SHA512
2dd8d77a1b48625db04747967e3c3775d7d9b602aff80d587b707660f2b2282786167a1086dba323dfec7cd99fea3f77ac5a6179a993683af59a876e5e2acab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
6f4840e2bcc4ce348ddee87fdaa88176

SHA1
c8cd4236b342dc74a6e7495d320028ecec535e1f

SHA256
796012ce1c9ec077b5d9204e7819f3d3448025ceef2e3db691ba129afc033260

SHA512
b7926abcf3592f186568ea0eefde1e23c7093e53e763761f81f075a6e02564a40521b16793e95dde3cafbed81c6e9b6ee78a637ae8681bf809386cacc1beeaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
2796a25ced5ad7e04fe288925340085a

SHA1
3d595c87e4bb34d2332d60659f985efdd180e4dd

SHA256
6b892e5a527fe49cf09e93e3acac84329d46766ba8faf2b8264d6ebec788b16a

SHA512
e2eef41f691f3194d43910ff2d6a63f4b90ce49070cb497e84bd78ee62effd19cff624dc1ef23b124dca3d4afa59e670f334bdb6c3eb2bbafa41eaa21a8abedb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
d14a1ed9ee64eae1a5fd08c582d46718

SHA1
060c5a3b7fe2d549881573b794638dd9a74bbeb8

SHA256
51ebc1cf611386c528abb865b487e8cac10a343eec24018eb623d9f18efb59fc

SHA512
52166d476e69d9a4ddf3e259787b53fa943fd0c2be0c923ed23177a8764d4b81a9815b087bac2f47110284ae54fc569be058554811761896b3222cddf11d69de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
5306fa53eb768dfb41e25b9ddf950037

SHA1
957bc74a4f5a12e6072f3d545b2942e1c7918ebb

SHA256
7d30a3bc5841d9d850676dd474772fcb9223f507cbee71b6ce88515000d67b9d

SHA512
c750b906886ee2a04104d4de90d9c582779fe088a7d48d404ba32067e47d9cd025e1523cf54bba9438ef84cfb063213ea46f69451d91e070e4df4a91f6d73eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
115960ed278def6214624f4a4e456c3e

SHA1
c7bc59526ca94fa1fdfc98fbd0f19517568ce78e

SHA256
6131547734528967c9506766a01f752f6b2adee7f664dadbf7d3024cc61000c3

SHA512
ece3b590509a121cd36a7f170192ff06ec08ebb030ace22eb9734fedec18161595de123ad2b1735df8711d53e72c6f21d687a60707f505d7a53413f20edb64ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
77add28b6c800b2b52d986910ebb5d85

SHA1
9e39d9ce8e15ea479cb0fdd103c2bd3b5c97bec4

SHA256
86e1c5c02bafcd2cd26d8c7e162abea029a5c704bd8120eab81bee097985d862

SHA512
f619703267d7bc8714ab5fc2c128e0b8b70bf6b69df1be52afe5818b42b26efd72b2f16afc740b8494c197309b22e187682c878b0b8712a6c6fa568f6a7572bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d8b21121c339d472a150243761e563df

SHA1
c4e7aa08581c655ba003403671d45fa3e3cda8ef

SHA256
1cad975dbea856e402831f2001b14da44ee6a76a98a1968e0744dd68381eab7a

SHA512
593b1d2e96fa0e14db44037c6061b42dcd699035311922745c6a2fd9debf9478d759b269f0017ad62f2b310ca4d55d9bb4cb480355af6bde7fb001531b9c54a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
49bed61872f10ebb9f394dcf26b063e0

SHA1
1bb042530c09018d8748927c35010427ed8ffaae

SHA256
a44ea6f55dcc81e73b09ae47319e767856d8f10e59a6001ed5fcafa8dc989e4a

SHA512
7ec450e42b50b9c26013b2129abd52dc4b2f743cdd6ed7567c69bef979c899d2174315b2769a0968a75e2c9e8a4ac079d15edbe8e46e96f036ad34db42104413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
5bd41af15bef95e017c7e156513c50f2

SHA1
42cfc2909f872894a248cdca873a7d236303b3f5

SHA256
9af85a07d0c83e8754927dfae907f407cf5e16b2ccbf3c3f6ccea9d7bbd359f5

SHA512
50e2e08dc5cc8152093c07b9732b21695012dbf1f26a8e77924b3488071d7b473c87f4f96aa9b878d222f5b085fb55f7ca837a871254358b3be6be8d2080e600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
372B

MD5
0b2a529554f65e032ab1c59fe8a29364

SHA1
58beabc7c66a74dd561fea700d0e4cf80551d040

SHA256
89d3a2368c9af5d4be35507732da632d805f67389db73fd82930b6f33ca33c35

SHA512
4e4b02a3f70247ce451be00c9a5a4bc5667b349e0d3e789e9131469432fbce76552b8d2e94f2c36356ecaa9fe298f8f53dcca181714c315d4e5c0b2375ba38c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fcfa929190710338a1fff4a8c462342e

SHA1
2ad5e9c704f6616fa0e8165aa8f80caf318cec14

SHA256
9dfa7da6946e7adda2d1d773434f83310e2c6f547fed6806dd9fd312896650b7

SHA512
4f4173677d9b205297fed7d8c19871555e0076a8a0f2a20d111ad373b79fbd398e98d25f6df12d72c243f2d22c395de3a7cc95180389984e078c9a791cc16782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
898d9894795b063f56eda7b4345d799f

SHA1
0f63d46c436d4584587fb160383bdcbc14956eca

SHA256
e4155538dc014c0556ad848ef31c2ffc229ed8ee848ea3aadd24ff4946af0e99

SHA512
776267f83313060309d01a7cd95cf2ed7bfd38cfd57f142857c0d9ae6b1026c235f93d958a61b8eb6d41b623db44353a5e1058aae1bd9b19d082f584f4ebcd04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d8c23d3a77eded334412a22c6214ecbf

SHA1
91b818e9e1209f9ed341adf6b6e91af2cead7ed7

SHA256
27948e13feeb77bb3097025b8c5d090f7edce5bd95963be7c14caf952ac10d31

SHA512
4bd6e59b7d0a3f04f63539c01b8ce73c766c8aaff716fc38a2f2288de7744ab8882e94fa47d38805906474e31dd67ed55d20f4da6c485ed19f4609cd1915a12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a6f3629c0079147a36d4747fbb8e9a93

SHA1
f6f36abb4d3c2b757d0f1645bbc32f76d62e887b

SHA256
040fdba5c27fb04e2efea5a98ad9828d6597a3343eb69b19c2ee2d024b4fccea

SHA512
5c2598cbf926aee8937939608abc302db34ad1fe6e7b49ae2aa9a99d28745c79d167b684eac99e59982e93abb92d5cec7258229eaa9d3719623d73ecee15371f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
ae8fd3a4a45767b79d4878e964a46a1f

SHA1
4c16151694b7ce720daf04f2a899376dce58a6e6

SHA256
2843082faeadb0fb58ff043f6f4affdd18ecc46d669f076d002c26bb0a3ec493

SHA512
601639ce125dad893315cfd465e430e03bb7e1379eaeb55b2955e14c7b4ae1ba30d657e5a38b610faf3e814b0cec0f02b33a8617bff37827ab0f8dc576842bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
5b6e658f6450600073867a01c498fbe8

SHA1
1644302c91282230c0df35469ee845d5febc749f

SHA256
344453e0e8d3a6c777cff53686152b9b0701ef6b782101448e7420a88ebfc687

SHA512
4f33e11ed5d4c27d9807a835ece37259004e6f42c3a8df889a136aa556349b6078301bf12ab4458c1b49650e47684e11dfb9a0685b88b3aff768401e6b355ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
e5ebd1a451baf9ca7b8be521006467f9

SHA1
0c9cbaaf99178826d3018c3dc6798b175f4ec3ea

SHA256
2329d273b711ff3b25d951595ffb80eed5f3d564d43fee4219d6be700f41feea

SHA512
20da36f36ca9a854e55800973ecf155ba7cfb8476548b341b5078ef4febde633fba75d31535d5b8eef9b1f0297bad97e17bab3320f3bf35902ebc3a5857fdb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
682f9ba0ab76aa00d1cf41a306a1e868

SHA1
08d55f37295c70b66a0efe6791dfa7efba9e1829

SHA256
87de5f3efc20e87c41b61331bd88dd2fb61e7377a2eead8d8ccbad8a40f3c4cf

SHA512
2b0e28c133d16afe476abf9b260c6d84b1bf35b299334a5231236415ef522c1f9015a7261e31a36864f51d5423a54a2512313030f23adf502b4fdec46cab8dee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
e82bfb2cc1f53722c8eefdb9c0dbb7d4

SHA1
bbb84a0a01bd79589b3fca3f12915e78ce59fda4

SHA256
5d4bd7699e1c2b5526e7db8a4cdbe25cc9d3c76fb3864da0bd9e74eacc3a6f5f

SHA512
2f968bbd2660317e2ef8cde49370166f3232b1cad98938aad128a8984302b399b65ab1db30e9b82c32df31a4590da06432e287c75593af1cbba6c3b8cb1ee46d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
6bd3ea0bc50e4a62c5603a1fb1939c1c

SHA1
e0c3b5d9ed82a06be7c02f009488830755ae0127

SHA256
00fbb982295498b4d81c1c84e53d7d3a420f3330a131338a29eba2c68ced03f1

SHA512
99ddcee187da44b076989a3d403cc2bbd2f624f52e44749b8dc5012443b5c9db2e8f15f349e2f43405a3899409b8a235c31b20b7994a51e048d33994f2b2f3cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
60130a0be94548ffc3345dfd8afe4607

SHA1
f8d360dc3219c031e8e4813ebbd6b2134abe97c6

SHA256
6f3dc2abadb2ce785ddefe39b25bdf7aa6d1095252332e74dda355e54e1dda3b

SHA512
5616eaa53ddc06e6f4d536ebc22756d09e8f3e34a7b2c04583deec28d94fafe1f94946066d030343a4f924207e93a17249aaafe899c50a9e90c038649438c8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a795.TMP

Filesize
93KB

MD5
ea168c201b0133e789de8aac8871ca80

SHA1
f5756c3aad54d2fface3f820b389d4136508e10e

SHA256
65f6f209d195df3d2479c6b387ebc6340039e43be87202e7cffa7fed9126c0fc

SHA512
4500279e93ab0f329ae4247c8542a214644fa509c829778590a25563e5c8463aa3eb1fd09706bbc98e24a35547ba7b2a72667d00f625f16936c30bbd074db31d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c5f6e9ab82eef770f5ce72f00d24194d

SHA1
dd80bbf1847fbb07ae9838de032a4f2cb8755583

SHA256
1300afff7310d0a96ae8ffad5f6af2894bae7099b0a70ab500686fb3b8534390

SHA512
9e7a667bf29011828a5406570b47fd69592ab109610ef75bb824d4946549efae1dd47c42bf5924d66f8adff2c0031fcbf9a586d9b245fa7a83b8d5d72d88b27d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\58422962-6b15-11ef-9650-521b4fa5e422\Ninite.exe

Filesize
1.6MB

MD5
f1db4fe1d4559183cd1b35a257c970cc

SHA1
57d3904540930c3ebf80f30b6b6097bd055b6940

SHA256
a5f912ccbde324b7c5f5d81076ccda813b2d80d311f4c854d358b85b02094d56

SHA512
7ca2546d31b88d701d195adf62e10209f3216033692348b4f8ff54e254baca7c1e72dfbae66ccd5e684cf53900cbed3f5a05ddc24adb251ce752541fb1f56c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B8D81~1\target.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\MLG.rar.crdownload

Filesize
10.9MB

MD5
7c7fb86210ab287c5b1b8da0e493818e

SHA1
fd0c9501f63ab40ad21b18f744c0ab126407b305

SHA256
adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe

SHA512
d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 754775.crdownload

Filesize
415KB

MD5
5346d4a170c7d12814e4d4da6cee18e4

SHA1
f926fa79d9ba583b12a98b49fb0b2c9e52a96b6f

SHA256
1611de2411dba878c4d328c4eda42710487f5516ef9a079052e7bc3220775e19

SHA512
31b3ee254f8073bea25a62cc9d2e48da3d6b92571aff89506348eca31d65099d2a0aa916f21b98b0ace0a6bd959fa44a996c3e889286504515a037f468660bfa

Download Submit