c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

Analysis

max time kernel
81s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-x64-701 (1).exe
Size

3.8MB
MD5

46c17c999744470b689331f41eab7df1
SHA1

b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256

c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512

4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
SSDEEP

98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701 (1).exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701 (1).exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259431191	winrar-x64-701 (1).exe

Executes dropped EXE 3 IoCs

pid	Process
2476	uninstall.exe
2012	WinRAR.exe
908	WinRAR.exe

Loads dropped DLL 20 IoCs

pid	Process
2124	winrar-x64-701 (1).exe
1184	Process not Found
2476	uninstall.exe
2476	uninstall.exe
2476	uninstall.exe
1184	Process not Found
2476	uninstall.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
2012	WinRAR.exe
2012	WinRAR.exe
2012	WinRAR.exe
2012	WinRAR.exe
908	WinRAR.exe
908	WinRAR.exe
908	WinRAR.exe
908	WinRAR.exe
3048	chrome.exe
3048	chrome.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701 (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2124	winrar-x64-701 (1).exe
2124	winrar-x64-701 (1).exe
2012	WinRAR.exe
2012	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2476	2124	winrar-x64-701 (1).exe	28
PID 2124 wrote to memory of 2476	2124	winrar-x64-701 (1).exe	28
PID 2124 wrote to memory of 2476	2124	winrar-x64-701 (1).exe	28
PID 2476 wrote to memory of 2800	2476	uninstall.exe	30
PID 2476 wrote to memory of 2800	2476	uninstall.exe	30
PID 2476 wrote to memory of 2800	2476	uninstall.exe	30
PID 2476 wrote to memory of 2012	2476	uninstall.exe	31
PID 2476 wrote to memory of 2012	2476	uninstall.exe	31
PID 2476 wrote to memory of 2012	2476	uninstall.exe	31
PID 2476 wrote to memory of 908	2476	uninstall.exe	35
PID 2476 wrote to memory of 908	2476	uninstall.exe	35
PID 2476 wrote to memory of 908	2476	uninstall.exe	35
PID 2476 wrote to memory of 916	2476	uninstall.exe	36
PID 2476 wrote to memory of 916	2476	uninstall.exe	36
PID 2476 wrote to memory of 916	2476	uninstall.exe	36
PID 1524 wrote to memory of 804	1524	chrome.exe	40
PID 1524 wrote to memory of 804	1524	chrome.exe	40
PID 1524 wrote to memory of 804	1524	chrome.exe	40
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2720	1524	chrome.exe	42
PID 1524 wrote to memory of 2088	1524	chrome.exe	43
PID 1524 wrote to memory of 2088	1524	chrome.exe	43
PID 1524 wrote to memory of 2088	1524	chrome.exe	43
PID 1524 wrote to memory of 2964	1524	chrome.exe	44
PID 1524 wrote to memory of 2964	1524	chrome.exe	44
PID 1524 wrote to memory of 2964	1524	chrome.exe	44
PID 1524 wrote to memory of 2964	1524	chrome.exe	44

C:\Users\Admin\AppData\Local\Temp\winrar-x64-701 (1).exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-701 (1).exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2800
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:908
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:916

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6849758,0x7fef6849768,0x7fef6849778
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:2
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1428 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1208 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:2
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1576 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1572 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2328 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2344 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3884 --field-trial-handle=1388,i,15262016321970624506,9071172197492100817,131072 /prefetch:1
  2⤵
  PID:756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Order.htm

Filesize
3KB

MD5
5c336de3b3d794322ad9e5915e3a509f

SHA1
5256262a417e9a29fe23e8cca09782c7a3532fc9

SHA256
bce29ef3b95306cb7b304fb8c3039be7157356d9f9d4e7e1c6bfbf02a117f48f

SHA512
7243c9b8eb39fc8aa10ec8b5c290e27d44fa1c245f0478b75ae77964c178d41e9c1f651f987316f1153c1a7176eecebc269ffb0c42ced5bd0b12e5cc1b95da04

Download Submit
C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Program Files\WinRAR\rarext.dll

Filesize
636KB

MD5
1e86c3bfcc0688bdbe629ed007b184b0

SHA1
793fada637d0d462e3511af3ffaec26c33248fac

SHA256
7b08daee81a32f72dbc10c5163b4d10eb48da8bb7920e9253be296774029f4ef

SHA512
4f8ae58bbf55acb13600217ed0eef09fa5f124682cedd2bfc489d83d921f609b66b0294d8450acb1a85d838adb0e8394dadf5282817dba576571e730704f43ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a797b58dc9355069b838350e37bdbf5d

SHA1
c7d5a3881ff63d195e6fe1c54d4f776ef3b4c3de

SHA256
459e605238fc495466c657cedbaf6b52e09451b4ebe09028ecfca3fbebf85f48

SHA512
806be6c06bcc7bc182f432cd33cc568271f02d1a80e96eb79ad78de6c71ea3f1fba12e041598d5e67f45fc9de27172821978d107b8e8edfde889acfab45614bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
43efda9b8f0a3c70aab11b7761dd703f

SHA1
45597095bae5875d2205538bea972aba31cc734c

SHA256
dc09cbfbc1195ed7ab7fd14b5d8af805a4585b241e3d1123aa0ded0156e25efa

SHA512
dea1374cf982f0385ec69c7641da8f9f359ff1e3b635c2ec46604d32c15629115b12a185584b8f14ea5dca7af6cc756b52653a3a874eafcb207ba0a833cf343d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
359232457b15cd8aed6607157a7f7ff6

SHA1
87638435e445738ab11b174ac3402a4db572a5b8

SHA256
e0af269aa439f6d1a66a5a33ecae47e5b73bb5a8dc41010de56664774ae5a795

SHA512
ab4a36e8fc2e91fc868d3e46294683478e73bee5e926d0cf659842dc6938d32fec4176e0f56b17a47bc6a8ad4a75cdddc26bb366745bc83b1e621ae27ca830e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1836f2e386b903a54333d5ab57743bc2

SHA1
811ac4938ce58cfe6fb2d8cb6cf4b187ff20a608

SHA256
9b77bb3f47133ea0268f3ddcd6f2c518afb61c8fc0a5f29215e9258fd5e235a1

SHA512
a096410c19f66a2346c2c91c6af160cdb2049eb77d455f8dc67751433e09077abf9941a6b8ef3ca215fcc372fa8f0ebaa02641bbd96286005dc600789295797f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cacb8a72e9226dd02e3c6bd0817e5def

SHA1
f914398627034599723065784142b0340b905231

SHA256
574d8a73aafbeef8bc337c2f81f6a4ebd9f2a614fe563794343e7408c9633ce0

SHA512
aca5deb81346f27acc277af2e626813f3a72f33032c6dc53fadbd987fdcb044810279c1826d837ab0af47d13445b2149ec927ac3dbaf3e266828a7d3b69344d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
2c32634cf515d506329c50d46b13c2d2

SHA1
e508b66296f89e4fc81a9b28d2df4fc506e1de31

SHA256
d0e15bd66f16f2d4b1d8bc22a5a671a08b5e0fbda6fe4cda25db3b2fa9328426

SHA512
88398d4222f1575501b1a6f7a401b025b12b9d86a3269bbb0dec5a8fc2819987531f9d706edb1b9eda8eb88c7133a8218571e7969d7e10e64fdc5cd1628b9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7668.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
ccf69d3a49394a5c92d21db134c7fadd

SHA1
080686b4c67c9347b2baa585fea0e46846ae0428

SHA256
b9cc3c158ce9256892935f66895a01a7601009be12c0ca5d59f7caec96b62de4

SHA512
dee6bb756f3c41c1a99672dd74ee239cd6783654b7c351557272fc8e51be8854ce5f59531f62bd285309e858d14573f21427b9589c0d6561827b4cce8ca59601

Download Submit
\Program Files\WinRAR\Rar.exe

Filesize
744KB

MD5
16659ae52ce03889ad19db1f5710c6aa

SHA1
66b814fe3be64229e2cc19f0a4460e123ba74971

SHA256
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

SHA512
f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

Download Submit
\Program Files\WinRAR\RarExtInstaller.exe

Filesize
181KB

MD5
f5b54d16610a819bbc6099bdc92add2c

SHA1
7c680a87233ff7e75866657e9c1acf97d69f6579

SHA256
46f533007fb231d0b0af058a0997ab5e6b44a1b02ae327621f04fdc4b2e18964

SHA512
a120a2ee6c926cd6f6b8d1be68ff471294552b049baa637a474d1210fe3ca83e66d0834217d1a5eea0491d080cea1795ee328fdd4cb54f6a132be2dc2e58e4a8

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit