silverrat | c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

Analysis

max time kernel
94s
max time network
265s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-x64-701.exe
Size

3.8MB
MD5

46c17c999744470b689331f41eab7df1
SHA1

b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256

c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512

4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
SSDEEP

98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

Score

10^/10

silverrat discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

tristanasnigeris.ddns.net:1177

Mutex

SilverMutex_ALxWrXoNHM

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1203134586893373491/q6tQbmKnUeuvvXfGSYTDOjac96V_7mQiYeTfQRdkoaOzb-RUY6kCok44-DiKFEoB460J
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
RVlNTm54UkNERUtDVkRxS1lta0FOZE9FSkl6ck5B
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
e2X3I7vzsr0GSnC+Jr28Plys2ny8jjkud4Ica4lmgB7bEuEd12YwNooV9L7vQKsQfWTPQFO0x8eXiuCDVyfFLy/c3pJl8mv/JFgFj2pck86SFO+VTZivzxTPj5fXxd2Sf1mfX3PUn/KjsxMsZfqpnlhpLTblPQ2uIc1QdAHanmJxd8hZXYPFkvjOH6MOO9WxJ72ZJOijAodXh5Y9Y0eBMbdJ3ng4CHwDtqoPVXHYf60rO37IDKSnVCq4z80DwnUmiYGxXgRRYKXLIiOKXqQKZ+q2GvWj7A4b3bu7DIZmiMZUUeiyhL8d0FQrCUPDkdAsJi1Erxs3s9timx007fZc2cgEMLSBQyqvRZG8FaiP73+TKmqvo5izmiho9iZz4rtDIkGH0iTYRkdePcLGFRHkK6fjBawCW8A5UUuRQ4Sv2FHwCBVixdj44UZESEf74y8Ff/u1kQRXeJNxodf1/9wLVM0geMNFE3O+SjQESN4SRqzXyl8NHdeUX85Nzw1ITeeGvbvo2+BFGU67IWYfTQ0I4hsAhEaq7Cy/8nG16AesRL3IFCn5MtwGdj07MWTWr5jyU0USpNxmoLf2ZaGIPcXxP9NH+PSxAm8owCr19THoRSV+l5yVFi/QkR77tV8d8dA2/5qS7JUCZmQqQoDd2mw4kJMy4RL7p58dEy37bK9pKBY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1028	attrib.exe
2928	attrib.exe
1220	attrib.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
188	discord.com
189	discord.com

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259441565	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	uninstall.exe

Loads dropped DLL 8 IoCs

pid	Process
2012	winrar-x64-701.exe
1192	Process not Found
2896	uninstall.exe
2896	uninstall.exe
2896	uninstall.exe
1192	Process not Found
2008	chrome.exe
2008	chrome.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1564	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe
764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
236	chrome.exe
236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe
Token: SeShutdownPrivilege	236	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe
236	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	winrar-x64-701.exe
2012	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2896	2012	winrar-x64-701.exe	30
PID 2012 wrote to memory of 2896	2012	winrar-x64-701.exe	30
PID 2012 wrote to memory of 2896	2012	winrar-x64-701.exe	30
PID 236 wrote to memory of 1120	236	chrome.exe	34
PID 236 wrote to memory of 1120	236	chrome.exe	34
PID 236 wrote to memory of 1120	236	chrome.exe	34
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 408	236	chrome.exe	36
PID 236 wrote to memory of 2600	236	chrome.exe	37
PID 236 wrote to memory of 2600	236	chrome.exe	37
PID 236 wrote to memory of 2600	236	chrome.exe	37
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38
PID 236 wrote to memory of 1984	236	chrome.exe	38

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1028	attrib.exe
2928	attrib.exe
1220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winrar-x64-701.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-701.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6839758,0x7fef6839768,0x7fef6839778
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:2
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1476 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1108 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1048 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3884 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2656 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2576 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4236 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2040 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4220 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2196 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4296 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3832 --field-trial-handle=1128,i,17150475403347300091,9519130786983371826,131072 /prefetch:1
  2⤵
  PID:2552

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1612

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\BetaLoader.rar"
1⤵
PID:2028
- C:\Users\Admin\AppData\Local\Temp\Rar$EXb2028.27262.rartemp\BetaLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$EXb2028.27262.rartemp\BetaLoader.exe"
  2⤵
  PID:2672
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Loader"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1028
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Loader\$77explorer.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2928
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5580.tmp.bat""
    3⤵
    PID:2128
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1564
  - - C:\Users\Admin\Loader\$77explorer.exe
      "C:\Users\Admin\Loader\$77explorer.exe"
      4⤵
      PID:1900
- C:\Users\Admin\AppData\Local\Temp\Rar$EXb2028.31335.rartemp\BetaLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$EXb2028.31335.rartemp\BetaLoader.exe"
  2⤵
  PID:1796
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Loader\$77explorer.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1220
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /query /TN BetaLoader.exe
    3⤵
    PID:2104
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /Create /SC ONCE /TN "BetaLoader.exe" /TR "C:\Users\Admin\AppData\Local\Temp\Rar$EXb2028.31335.rartemp\BetaLoader.exe \"\BetaLoader.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:844
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /query /TN BetaLoader.exe
    3⤵
    PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2968
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "explorer_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Program Files\WinRAR\rarext.dll

Filesize
636KB

MD5
1e86c3bfcc0688bdbe629ed007b184b0

SHA1
793fada637d0d462e3511af3ffaec26c33248fac

SHA256
7b08daee81a32f72dbc10c5163b4d10eb48da8bb7920e9253be296774029f4ef

SHA512
4f8ae58bbf55acb13600217ed0eef09fa5f124682cedd2bfc489d83d921f609b66b0294d8450acb1a85d838adb0e8394dadf5282817dba576571e730704f43ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
621e96e5b54fb8536d99aa2b16dfe355

SHA1
e2734a3ccf2650aedbde25d93e57d6b701124505

SHA256
d2f1b6f067fe69d786d938ec0003c4ce7500f015fdb30709bc22559abb0534f0

SHA512
d988bcff0a3a13cc30d9a496032c777b282cda298ecec09b2bb37cea914b1626ba9ff9cd56c6361dee4ac2dcfb721c6015561407884cf97974c502233bd921db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
667a1ca61ff28b13daf21a9194ee2e9b

SHA1
90052843d0bd4a3f7212e9482dd9b158e0c61dff

SHA256
167f5225faa341af2502cc7d38434fa5474284ac37e9dcf93c54e358375e9519

SHA512
e1b9f8ebcb8c8d0567a0bd6db36562a5d7c5b38778018fb5860f36f6036d232e57ed4bbab80271fa0fba019cf00430c6a4adeb4ccd7ebc1ad0e81845620c71ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00a7ddffb33efcfa2f731bfe3a98d71f

SHA1
43500711a5c66eaa20860f4ac805648e32ed9420

SHA256
fe5047d9978079d8edb54d6f4356aedfe3cfcb2e82525646c28c2a23a5dece43

SHA512
5de6fb59d907a793f5d04543523ba1ced36d9fe5c8fc3326a78dd74c64d054344aba30ace48906c3a677d22f941764320d9706a30042f2edb9b2035fd1700f82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd8b6b2d250a251b35e06656523d563

SHA1
454e4d15e4612c90ef6b1273be1d2bc746e398c4

SHA256
351258b976141754fb7a1f9e228687c59445a87a66fe3efe5d4cad9e192497eb

SHA512
9be463caa3377b0a57dc7ea7d33369d65a60954873a7536b001b5a37a320f3573306f56e5e48496c32db9d30f3fe0cb08e08b7500bdcebd958bae452bd3a3e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1da2b7dc625fb6d6190d14b55fe3ed

SHA1
48250d52687f03235474a481b57a8cac517c8b40

SHA256
26b2de8c9983e932fcb2cba1267097c8a03686c7827ef137afba68573d9bc05f

SHA512
4b9937bcf0909e5045c1d905444d68d401ef22eabde81b3f369d7e249ba62582d674e302d90e2e2e4ecdadce38923b8234ff5a8795f89ba60ffea3d30fdab889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c4c60c5131db66d714184478932c515

SHA1
bd68c22efaca5bae4747ef42f89bf43366b66b5e

SHA256
d91e9294353853f1a4055bf9e6142490d0ce1612c6095054ac1f749bce21b1b8

SHA512
07225361a0c41adc7d0b55a1cfcdffb12161a672f0318d2cd36088a787ccbef3ebebf4ea92ae7348a7723f9cb4e0240f7c343503bfd87f07787d2265e23cae8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13241599aac8eb50f29997cccde16393

SHA1
1872bf6fd593f15251b4ff76b94d3f9c613108f2

SHA256
868e74e952b174e587b99a88602e2abb00a5086e578f5d3e7efa9945ff215802

SHA512
57b179899beab6acf5a7433a8c639ff79792a4543665f6f4162146ca69ed8345245136025a1dc64980a86d28f06cf2f8c16193074526381197608395b2d856b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c326e107ea869a546c4be6e6796554df

SHA1
a7da4457761e75b1b09ddfeb4d30c8b31b122a2e

SHA256
a2149c0f34a1d280ad616c8025549526dc999a958353c3b849626466362af490

SHA512
9983fc00e351d2a08bb8e51efbe3d6e5fc9d5f4cd897e039dc1fd3e6a705e78ad86068932419c93db370def6901d671efe33f4910137292748962a8c9a126a2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d66a03d47ee3236463d2cd16437ff8d2

SHA1
c034ba67d05ca240c77b4a2082b63f96a0b2be83

SHA256
499e59abddb5b142bbe7ef85407d589c48f73e94849eaaf900905a220cefeb37

SHA512
738e31d18230ba05647becde2eebd9bce0144023a67c43aca5fa4cd9280c9f5ad6118d1ff536bfb3dc0f6c2765bd3cfeb7794fbf65069f700ce7f7bbd65e10b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ead685606a7f66f170662522204ca1b6

SHA1
4ebb76478a810c50e340c1acf7a877d055ad0311

SHA256
33b1395d6fbf7ecbac7b53e7fda8b1cbec1cd2159d1d3c5661925b423872be03

SHA512
aa9fd8e099b6e0e3bd0ab03d3378609fba19a19393a53d417e49e8daa91e8eb9963fd5d16e4e50deefb7f920ca95fc3d78422e55a50f992cac21cd88f8fbf5c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
59aa7bef64cb2327bec0043b901fb5ce

SHA1
c768e93d296deb38e955c25ea635b3ff78e153a7

SHA256
ed4ed74035ecf83d12e991830c76a36735dcb1ffff6516d0e8cbb458f973c32a

SHA512
087bceb8d36a8b1cc8ff96daf6f2065243feb5247104be9f5af66ba4e7734a616d8e083a25ebf5c88f609ecac481c94077653f846bcb1915f84cd4f0f63acb87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a5ff7b8d3f9da95f3edc95416ad0ee3a

SHA1
a1d3fb57133e5369e14db282af76e1c6593cc9b2

SHA256
7237c8d0f62cf771e73c5e6099e0ff332f3bd57474348b304390afb190f9fcfd

SHA512
d0ac399fbcf673e3045e62b5bdeee954cf08fe562f2aba8c718980b504e00af2cb3c14ee28c719fc46058cb9ede922f373f2d53e585e29c4d7e1d2eecea2898e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d9969a07d84e7906080bfc3f9efa1ecb

SHA1
d59b5e52c9259973d03d431043a8a26d75de6656

SHA256
4688a3be3d0e0b26adb2a961b9abe3cb9afcd601a1718328b720eb6a88b8ba52

SHA512
93f69840a7f7a4d89c7d67e37207e4efa2fea54391f7ae74e29df560ef562af124cc800b0b45bb78cefd52b0ef82ca5960c3e501ecd832c814604d4d693481dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b7d2fb8d03c0b5a0ea1d3f0aab0970bc

SHA1
02db08959371866c3c23a21e907bba096a19da0f

SHA256
7fda06dc6575eb3de84e4c8791a5677d84f38c33c39626a893814fed1a251d32

SHA512
948d2a97a0cd1ab4f5cd495f529ec07c3e569014c2092d8d380f8f1f125a85ab9478500d920cd513625429a05857311d4d6fc26f344493318865d293c9a5b937

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
8e191fa88138e1f4d440938502d1ded9

SHA1
dd50f6419c24bdb221e69151dc23f22eb974aa1b

SHA256
5ecd70a1d56c5e41018d53f3d8f6506e1c19773bc75fccbeaac7bbd9bb0c13e2

SHA512
91986d72c9cb66874ca5473a877ed836be189e2f6292b839db53e5686df76a59be6031137a007ea895a8dbbbf1a6c54382f88e3d1c9422eb8e1870a353fd4e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
96e2ded70f1197e9fedbc822c0eb06c1

SHA1
9110e689475de6de108b06331bdff8717db8f738

SHA256
49d01ba52bb955c856ca825ab3402414d3f3af8d27efa72182aff1e93c42c7ee

SHA512
48df6fa29eb5b1a1fa250e721da73c4f4753a0a596f95728822c17d279a47d6ddb3db7b032c8444a6e7fb46cea657e94ec5d588059dc4d1ecb27bdb622c6bb5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
b9514b85589b35c19ed2b5d3f1a6482e

SHA1
66319186401bafff46c9050b450c75d415912caf

SHA256
7a5a16c63378330bc7eb4ed96545a1519a3bc544acb6dc5ace6d34a03ca5337b

SHA512
4067deb7edfe695a18d98296787d467cc3e50a7f82b59f27fb49c89f4f57931623d6674bdb3184cc73ce7a874e4e80d6dcd3232878da6a1aacd4c7c375c63175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
d9cc190f750725b3449d0091ac9083d1

SHA1
a720c27efd0449e994af41c063aaebd758608e20

SHA256
49f64444aecc1982b92c4e243f8925ab858a8927cfb248af6be4adc67a20ed30

SHA512
a46b94cc04f81f3e589ff6d7382fcc62ef5f42a4b3315ea2677a1dfcdea1053d486725b12fbf34491d81ff1b7ffe93bd6d9c9369676e7f805d7608438b7fa425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
430205500477587ef51ed42f3e4c8aa5

SHA1
fcc8bfbd0bdd18d4a8fcee4d155cb4e363b06b88

SHA256
fc92dddd5c210b6edac1dac62bddb94cc062f86c7661b0c2389282ce8b0b0015

SHA512
72960bc77af536485e033715dd62ca2e6de9f3927c3738bf1ec613f32d72da89da55148e6ea0e2ed3d4ce4c2512fc1f53f1344b3959a7e172a50e2a018997803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5bf429b370429b5d23a8be35d251adbb

SHA1
b94f4d6194fe348fe7201b671dc1ffeca82d7459

SHA256
e2eefbd2c396d7e993590024ef31be4f3cbd4dbadcaac60f5328b3252e2298ea

SHA512
d66a1d34ba9d205f89aa9962f7786a8eace5d8dd9c80f295afb882e49d93e73930a58b0aea3d4c1564a2673cf4aed93ae04149b84a3cd75b29155a12f2736a4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
da1eb7c1c57a6f0a38b6433f9a0efb35

SHA1
24b2fae7be7472b241a73caaf5b1bbcb3404408a

SHA256
2fbb512107ee2a3488f246b4912cffd275d58a02d7e6eac3808851875c901dbc

SHA512
93aece714e4df1d66b4c0c7fb972309b5ee80821eee803c1e74fc892758705c7372ce827e6c4c73c8196e0b4d27d30cbaadffeefb85ade58ac3f6ed8f553c81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c727f4fbe630fd6452451492a2e6758a

SHA1
299ca051a7a14de81281cc94c28a00fb5a051c47

SHA256
bd20f9002ae421634ebf41234e69aac354624aa4be904b7a76f79e5bb750d8e7

SHA512
0badc6ce66a2a03e188bb4bd571175d673e2f65cafb3eb31ab9183b8fe389724397de910744a8d9911e66ce52c644a594bf2c3fae8df38023171ad2749697c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e64ddf96a3127fdd920fa8a828f025d7

SHA1
f1fa4dd708ce360f3679d03209c91e5e9ecd87bb

SHA256
41edb68e95f19822c74df954b847830a3106ba258798812bfe5a2e3d4de6292d

SHA512
d32f43e457a5dfb908d402c7f672283461b21154cd7988b9c1735f11ba18cff9ab2ac525b2343992aa1651ae7d997c6292dab78c9e5974650cf514abe613cb47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
51c1774619b1e3198e2cf3e7d0089eda

SHA1
6b5532d159b3b07bfa0dc2db1f452712117fbb2b

SHA256
a603a9fd0022ea9073e36489793f283db59eed32ee6988d7ae995d9f40b8a307

SHA512
2f328b1a8c2909ddfca09cc72e3e0fb1d755858d2ba8d1a944bd00a84b21500ce2f9192f4ffaa2756954229997a0bc0234defc52f55de03f0fb8d189d4726e51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
9892775a985973786119a15565ee3abe

SHA1
7e85a1f24a7eed7774629db492487730ca0c0cc2

SHA256
4d839eba87d2cb906c81506946267df7373f67e3e65e892e17947d1c66c8f66f

SHA512
c3f438f142936acf92fd904b4d62d7b37a1bc8e0dc991bfedba7ea18bda3ecbd6cc8148e4bf03b0bee8ce17ffb7aed95da14c669625dca3f43445e4d59a82ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
531c5348d74371962c8d8a613421c9a1

SHA1
aa00b2760eee3c0bcdd4cb634bc8c4e0adb93b99

SHA256
15108d8c57d0ee11f9c4f0a77e702bf57885ae1f74a7622a8813122e33ff9ca6

SHA512
fd849e63459fbe574ab11e9c6e731ec19edfc28abe6ba912540cb80bed95369968c62f8195007b0af59d85c286e31296099b092b30bf26c0d9d9216e3bbeba37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
cc50c5feeb676729b1e8fdc2528f9e2e

SHA1
4304853593b0a6e018e1af0d0310f2dcfb8a9537

SHA256
8a2046e8be9eef9518097bad816701cd0d49e31519ab87f0747b07012e0d1902

SHA512
6268c759322a070c88bdf47ed8025fb3dd99d0896792ab9ab79e30f46f42f403c7d17e0b425d5c2633240f5cb8cc63fee88b9bc79466424fe86e117e9d161d22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
76KB

MD5
4a0a7bcc871af3cbeb6aebb446ffc2dc

SHA1
e8e1fee1607cd2091e40a6c7fd84d69d919ef887

SHA256
5382dcf342c10df0ded5540575b7e81dfa34e256bf4a87fa3a25a12ba5d182c5

SHA512
6027fd06be9c6518ec368766f6c30d77b9fb4c499983d58a5bb663c8b09a88ad192cb895da9f1a0f58bbb36068a0ecc4c622b616e0ed05bf571970655b7a2c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
84KB

MD5
99204768b73c72a8422fb0edfc28101b

SHA1
0965cdb64b08c1697c3c2e9536156e7d03dbdfbe

SHA256
b88830df46e8d7b355e4280807926b43187de187ea508e50817d50ef55ac83e2

SHA512
ff0e0d5e01930915b6f02ce6709b4ca74ed8014e6e07f0947fa4c9156889c8e637f6f18e054a608866a49e864af836d7e5b22425f1b0f62082f5a6474f49995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7310.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73ED.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5580.tmp.bat

Filesize
146B

MD5
87a3cc9d41f7fb63236da3485c6ec3e3

SHA1
d6d366e6309bf1c0ad3aa30d31d40daec36c92ee

SHA256
756c211197570e559b5e01702e3a628f8ddba62373bc7a7cc3530b3c9c80e189

SHA512
c3ae2ad43ecf88baca92901b12313ca7a9b6caa157beec13e1602374399932d732103a54b16b383d1df43f7622faa3b3bb090d73cbb738422f1a867e41bda1c9

Download Submit
C:\Users\Admin\Downloads\BetaLoader.rar

Filesize
22KB

MD5
d5c089b88167594a3de3a50e8a2928de

SHA1
d9412a7180a2a00dd440fb1721b04e3bfde4ba1d

SHA256
54996ea753f1eca648c82fb6b0b015a106932a537018d55d38356d5aea6b695f

SHA512
cfe353c06e339d155df4861e2ede1f0a3e979abec979e54d4080cb6e5ea9e939c299a6791cc40dfe6267bd9493e0cc1ce6d90be8eab03df26d6a692225759be3

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EXb2028.27262.rartemp\BetaLoader.exe

Filesize
45KB

MD5
c44d94d1513356d278358c2abaa7f4bf

SHA1
2e3cec99734b0b1112f39ba3e71dca25f92e8914

SHA256
b6a01a00e1618a65eec1e6f57a9fe937ed4ad312fa71db0b8bed8a425957789d

SHA512
d3237e3cf00ea527332c50dbe1e88e4b89cf8274eb47aa3cb91cefe16b1ab482b25991e619b9be165e1129d06acee3464a4182f1010e032bf690aadc409b4388

Download Submit
memory/1796-1190-0x000000013F3A0000-0x000000013F3B0000-memory.dmp

Filesize
64KB

Download
memory/1796-1256-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/1900-1253-0x000000013FAF0000-0x000000013FB00000-memory.dmp

Filesize
64KB

Download
memory/2008-1282-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1321-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1242-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1239-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1240-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1255-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1254-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1329-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1279-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1280-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1281-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1328-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1292-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1293-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1304-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1303-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1241-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2008-1320-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2672-1182-0x000000013F110000-0x000000013F120000-memory.dmp

Filesize
64KB

Download
memory/2968-1209-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2968-1210-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download