lumma | e883775711e2df54fc98181d782ede135d1b5e212594fe59cb9e75be5cdfaaa6

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer_1.05_36.9.zip
Size

20.8MB
MD5

e866021c606a52158525d4f2df67a5cd
SHA1

bdb711c91b37bcf9306d53c396441eab5d0f4fbc
SHA256

e883775711e2df54fc98181d782ede135d1b5e212594fe59cb9e75be5cdfaaa6
SHA512

61432fdd6a5a7744ed37359cbe98786981fed6fc32795179267a571904323ea69c500b3c2cb5bd2c6572d34c212ed9bb1c1d9e5a73c5e27d95d8c8989ea7f569
SSDEEP

393216:NZmphOyRvFL6UdiB5nFxhmRvmJiS7+dMA/bYomtmx6YDjN1fxRS:NZmphOyRtJiBHKR+4MA/EpQvPxQ

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://siffinisherz.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
2724	winrar-x64.exe
2932	uninstall.exe
1332	installer_1.05_36.9.exe
1536	Likewise.com
2676	installer_1.05_36.9.exe
1944	Likewise.com
264	installer_1.05_36.9.exe
2968	Likewise.com
1712	WinRAR.exe
1672	installer_1.05_36.9.exe
2948	installer_1.05_36.9.exe
2820	Likewise.com
1292	Likewise.com

Loads dropped DLL 52 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
2724	winrar-x64.exe
1260	Process not Found
2932	uninstall.exe
2932	uninstall.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1720	cmd.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
760	cmd.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
2512	cmd.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
2988	tasklist.exe
2404	tasklist.exe
796	tasklist.exe
1040	tasklist.exe
2540	tasklist.exe
1344	tasklist.exe
1712	tasklist.exe
840	tasklist.exe
2508	tasklist.exe
2712	tasklist.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\License.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259473795	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\StartPoor	installer_1.05_36.9.exe
File opened for modification	C:\Windows\EmeraldAble	installer_1.05_36.9.exe
File opened for modification	C:\Windows\EmeraldAble	installer_1.05_36.9.exe
File opened for modification	C:\Windows\EmeraldAble	installer_1.05_36.9.exe
File opened for modification	C:\Windows\StartPoor	installer_1.05_36.9.exe
File opened for modification	C:\Windows\StartPoor	installer_1.05_36.9.exe
File opened for modification	C:\Windows\EmeraldAble	installer_1.05_36.9.exe
File opened for modification	C:\Windows\StartPoor	installer_1.05_36.9.exe
File opened for modification	C:\Windows\StartPoor	installer_1.05_36.9.exe
File opened for modification	C:\Windows\EmeraldAble	installer_1.05_36.9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likewise.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_36.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likewise.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_36.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_36.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_36.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likewise.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_36.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likewise.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likewise.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1536	Likewise.com
1536	Likewise.com
1536	Likewise.com
1944	Likewise.com
1944	Likewise.com
1944	Likewise.com
2968	Likewise.com
2968	Likewise.com
2968	Likewise.com
2820	Likewise.com
2820	Likewise.com
2820	Likewise.com
1292	Likewise.com
1292	Likewise.com
1292	Likewise.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1080	7zFM.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	1080	7zFM.exe
Token: 35	1080	7zFM.exe
Token: SeSecurityPrivilege	1080	7zFM.exe
Token: SeRestorePrivilege	864	7zG.exe
Token: 35	864	7zG.exe
Token: SeSecurityPrivilege	864	7zG.exe
Token: SeSecurityPrivilege	864	7zG.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	840	tasklist.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	796	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	1344	tasklist.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1080	7zFM.exe
1080	7zFM.exe
1080	7zFM.exe
864	7zG.exe
1536	Likewise.com
1536	Likewise.com
1536	Likewise.com
1944	Likewise.com
1944	Likewise.com
1944	Likewise.com
2968	Likewise.com
2968	Likewise.com
2968	Likewise.com
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
2820	Likewise.com
2820	Likewise.com
2820	Likewise.com
1292	Likewise.com
1292	Likewise.com
1292	Likewise.com

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1536	Likewise.com
1536	Likewise.com
1536	Likewise.com
1944	Likewise.com
1944	Likewise.com
1944	Likewise.com
2968	Likewise.com
2968	Likewise.com
2968	Likewise.com
2820	Likewise.com
2820	Likewise.com
2820	Likewise.com
1292	Likewise.com
1292	Likewise.com
1292	Likewise.com

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	winrar-x64.exe
2724	winrar-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2932	2724	winrar-x64.exe	37
PID 2724 wrote to memory of 2932	2724	winrar-x64.exe	37
PID 2724 wrote to memory of 2932	2724	winrar-x64.exe	37
PID 1332 wrote to memory of 1720	1332	installer_1.05_36.9.exe	40
PID 1332 wrote to memory of 1720	1332	installer_1.05_36.9.exe	40
PID 1332 wrote to memory of 1720	1332	installer_1.05_36.9.exe	40
PID 1332 wrote to memory of 1720	1332	installer_1.05_36.9.exe	40
PID 1720 wrote to memory of 1712	1720	cmd.exe	42
PID 1720 wrote to memory of 1712	1720	cmd.exe	42
PID 1720 wrote to memory of 1712	1720	cmd.exe	42
PID 1720 wrote to memory of 1712	1720	cmd.exe	42
PID 1720 wrote to memory of 896	1720	cmd.exe	43
PID 1720 wrote to memory of 896	1720	cmd.exe	43
PID 1720 wrote to memory of 896	1720	cmd.exe	43
PID 1720 wrote to memory of 896	1720	cmd.exe	43
PID 1720 wrote to memory of 2988	1720	cmd.exe	45
PID 1720 wrote to memory of 2988	1720	cmd.exe	45
PID 1720 wrote to memory of 2988	1720	cmd.exe	45
PID 1720 wrote to memory of 2988	1720	cmd.exe	45
PID 1720 wrote to memory of 2452	1720	cmd.exe	46
PID 1720 wrote to memory of 2452	1720	cmd.exe	46
PID 1720 wrote to memory of 2452	1720	cmd.exe	46
PID 1720 wrote to memory of 2452	1720	cmd.exe	46
PID 1720 wrote to memory of 2984	1720	cmd.exe	47
PID 1720 wrote to memory of 2984	1720	cmd.exe	47
PID 1720 wrote to memory of 2984	1720	cmd.exe	47
PID 1720 wrote to memory of 2984	1720	cmd.exe	47
PID 1720 wrote to memory of 1148	1720	cmd.exe	48
PID 1720 wrote to memory of 1148	1720	cmd.exe	48
PID 1720 wrote to memory of 1148	1720	cmd.exe	48
PID 1720 wrote to memory of 1148	1720	cmd.exe	48
PID 1720 wrote to memory of 3068	1720	cmd.exe	49
PID 1720 wrote to memory of 3068	1720	cmd.exe	49
PID 1720 wrote to memory of 3068	1720	cmd.exe	49
PID 1720 wrote to memory of 3068	1720	cmd.exe	49
PID 1720 wrote to memory of 2788	1720	cmd.exe	50
PID 1720 wrote to memory of 2788	1720	cmd.exe	50
PID 1720 wrote to memory of 2788	1720	cmd.exe	50
PID 1720 wrote to memory of 2788	1720	cmd.exe	50
PID 1720 wrote to memory of 2668	1720	cmd.exe	51
PID 1720 wrote to memory of 2668	1720	cmd.exe	51
PID 1720 wrote to memory of 2668	1720	cmd.exe	51
PID 1720 wrote to memory of 2668	1720	cmd.exe	51
PID 1720 wrote to memory of 1536	1720	cmd.exe	52
PID 1720 wrote to memory of 1536	1720	cmd.exe	52
PID 1720 wrote to memory of 1536	1720	cmd.exe	52
PID 1720 wrote to memory of 1536	1720	cmd.exe	52
PID 1720 wrote to memory of 2896	1720	cmd.exe	53
PID 1720 wrote to memory of 2896	1720	cmd.exe	53
PID 1720 wrote to memory of 2896	1720	cmd.exe	53
PID 1720 wrote to memory of 2896	1720	cmd.exe	53
PID 2676 wrote to memory of 300	2676	installer_1.05_36.9.exe	55
PID 2676 wrote to memory of 300	2676	installer_1.05_36.9.exe	55
PID 2676 wrote to memory of 300	2676	installer_1.05_36.9.exe	55
PID 2676 wrote to memory of 300	2676	installer_1.05_36.9.exe	55
PID 300 wrote to memory of 840	300	cmd.exe	57
PID 300 wrote to memory of 840	300	cmd.exe	57
PID 300 wrote to memory of 840	300	cmd.exe	57
PID 300 wrote to memory of 840	300	cmd.exe	57
PID 300 wrote to memory of 620	300	cmd.exe	58
PID 300 wrote to memory of 620	300	cmd.exe	58
PID 300 wrote to memory of 620	300	cmd.exe	58
PID 300 wrote to memory of 620	300	cmd.exe	58
PID 300 wrote to memory of 2404	300	cmd.exe	59

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\installer_1.05_36.9.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Read me before you start.txt
1⤵
PID:2196

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap9495:118:7zEvent30833
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:864

C:\Users\Admin\Desktop\New folder\winrar-x64.exe
"C:\Users\Admin\Desktop\New folder\winrar-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2932

C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe
"C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Symphony Symphony.cmd & Symphony.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 180180
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gilbert
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "uploaded" Smell
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 180180\Likewise.com + Moderators + Ship + Develops + Briefs + Cache + Web + Dependent + Crimes + Responsibility + Brandon + Separated 180180\Likewise.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Senegal + ..\Contract + ..\Chrome + ..\Renewable + ..\Vancouver + ..\Saving + ..\Topless + ..\Coordinate d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com
    Likewise.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1536
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896

C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe
"C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Symphony Symphony.cmd & Symphony.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 180180
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gilbert
    3⤵
    - System Location Discovery: System Language Discovery
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 180180\Likewise.com + Moderators + Ship + Develops + Briefs + Cache + Web + Dependent + Crimes + Responsibility + Brandon + Separated 180180\Likewise.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Senegal + ..\Contract + ..\Chrome + ..\Renewable + ..\Vancouver + ..\Saving + ..\Topless + ..\Coordinate d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com
    Likewise.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1944
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Read me before you start.txt
1⤵
PID:2028

C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe
"C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Symphony Symphony.cmd & Symphony.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:760
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 180180
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gilbert
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "uploaded" Smell
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 180180\Likewise.com + Moderators + Ship + Develops + Briefs + Cache + Web + Dependent + Crimes + Responsibility + Brandon + Separated 180180\Likewise.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Senegal + ..\Contract + ..\Chrome + ..\Renewable + ..\Vancouver + ..\Saving + ..\Topless + ..\Coordinate d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com
    Likewise.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2968
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.rar" "C:\Users\Admin\Desktop\New folder\"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1712

C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe
"C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Symphony Symphony.cmd & Symphony.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 180180
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gilbert
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "uploaded" Smell
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 180180\Likewise.com + Moderators + Ship + Develops + Briefs + Cache + Web + Dependent + Crimes + Responsibility + Brandon + Separated 180180\Likewise.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Senegal + ..\Contract + ..\Chrome + ..\Renewable + ..\Vancouver + ..\Saving + ..\Topless + ..\Coordinate d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com
    Likewise.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2820
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008

C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe
"C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Symphony Symphony.cmd & Symphony.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 180180
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gilbert
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 180180\Likewise.com + Moderators + Ship + Develops + Briefs + Cache + Web + Dependent + Crimes + Responsibility + Brandon + Separated 180180\Likewise.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Senegal + ..\Contract + ..\Chrome + ..\Renewable + ..\Vancouver + ..\Saving + ..\Topless + ..\Coordinate d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com
    Likewise.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1292
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
2132aceded754d35ab911823a9b41cb4

SHA1
e1f549ae718257f55b61bedfd0e7b9c06dc3f533

SHA256
6805c8b3fa7d4f19dbd2439e2cdbf2cf7c6e538484d800266798575a58571b70

SHA512
464142af80cd292f2558af5d1d133b27df611999322772bc4e442eb4f7bb6b7b3e7fa8dd26cc050abcbcc6d205e4298f81ea948bbe1ca12c3e126cc960cf3478

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
50KB

MD5
35bd214434c43c5d02b2be9d59a6a496

SHA1
8751490f7159ccce1a37b337824b35378c7ede63

SHA256
3458c5f059146fd519e95b01397bc063c02c618b962d1ea1034989983f4d6317

SHA512
565fe00206b80fe9ff59a89e9f7b373e93454eb2a1e80b9a02e75a6575f04915d359f54654e172bdcf0351544b1c02f87dc6e2f1e69a0d769866aeade2630086

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
323KB

MD5
53ad0a4d91e4382adfbb7a32586b0268

SHA1
d66cf7e028ef6c7b4361cd58bd6ce73bc62557aa

SHA256
af036a8fc3d84838ad5dab142a5f4dd6e939a083d1af9371af3ef3ae5428fd31

SHA512
352bb33a00d19f0310d31cfc26f66cfdb4bcdb24127f28384e1eaf9ac0b02a06d403a86e519894054e42bd6a9167536b1cff77ea27c6cced275860021e0ba943

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.2MB

MD5
d0b13a4155900291fffc4199d7a00173

SHA1
e238bc74de42670c3bbe9d0d317d07647d9389d0

SHA256
72a2899a23ee78bc8059ecbf81cfdc1003a401e460ece5bbf54a47a3cd392b8c

SHA512
41973232528fc09407aba3000fb433c7f9855b63ee83f4a20faf9bfb7554e2f0cf894f9350b7531d620bca67856728c6e39c7ad4b2bff2b0357d14991e3e448e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\180180\Likewise.com

Filesize
134KB

MD5
810362c84e210968dc1799fe608c3557

SHA1
d59ac1bdc24c532896e22087d17f64cce0e15893

SHA256
7da9a89bdc7968ac42c1883e1f428711cdb3c536b0e6de29738903f98b247f17

SHA512
cadfb97cf7ab304da9a6bcb8b0b98a3d350b036c2ca4947960cbd799568f7b5c3120f287b47fe4ded0b64b81a2903c9ded6ce3963644cbdf4d3697fe3d905fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Brandon

Filesize
71KB

MD5
6ed308f7d869ec3e4db1fe15f830524b

SHA1
e4d07a8e12c64e6faedcf539cd08e64c4040f96d

SHA256
62341bc1b0dcc86f45c396fe54b7b7645d1007ab784e8d4326cceb7d87a2e502

SHA512
2df2cf7dddbdf3347e521fb3507bed0b70eea8c6c70a41da90d566bb191c6086f709fd505571fa3f62b8764f2e634c1ca42513365737ae831cdeb44c2c077364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Briefs

Filesize
80KB

MD5
4153e21eda04746677f819feb4122ac3

SHA1
66a3c082b1b72b807bd23c903c5d2abb6499e2d9

SHA256
e826f8b8c4096060e2c3a874e4a2ac226ac9d3e554eb0793cfb2e8e6a31aa6e4

SHA512
8b9cbc042a5783accfc8696590e0a0041892d13aac4394b51c48b73dbcd8780bd12262d844427285ede2cc9689c48dc1d5ef6944d55ba2088a1b04c246dc5d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cache

Filesize
81KB

MD5
ed7f9415d7b54f8ede0a3a8dd375477b

SHA1
5325b94beb75c860df240b43b69bb53ebcd083eb

SHA256
55f7d8c972f72e7b171ad344f157125f2ef23db756f8b1e42cf6c961eb207196

SHA512
0acc7abf9835c1609fb4802e8331aad73f27287fcbb0d2cdc649affda52410ee607269fd10f7f31852acd773d5d1cc0e739050c08247277411be6652795514ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Chrome

Filesize
87KB

MD5
f8b845b5b26b29eaa1c06aa06bc0fb92

SHA1
97272fb14ca992a2e12c8d19a2e91b3a68a11a9d

SHA256
85c9572494b9699eff20d796e97ff4a047fd6fc097f7a2cb047096333f44e56c

SHA512
24e49f8386f395bd1f190f57860d601af60795d19988f7206af4d2c829e1c1a93f6f43caaf54e2d325f5cb648848d0d65069ffa372b9a29c9412695529b2eaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Contract

Filesize
53KB

MD5
e24356ea28495b0e1b69b9a8603d53b3

SHA1
f1fc13753890eb26f2ed6d6f59d63e2082689fa6

SHA256
6207a5d1d56a6bf346c01899b305489086f70803c168920e9be8cc6fa5b5616b

SHA512
8417f60f5c361e8fa5c88e55e93fc3347e66c4e72c558281b9cbec9bcb6e5accef14efd7b6edb2a8ba6b21d58202139eb12d9612f50fc7987304946411a5b11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coordinate

Filesize
17KB

MD5
bba020b48ce0fd7c008a9669e553c753

SHA1
2620b9802be9df3b4d845b86303eb4a62dd6e536

SHA256
5708f8cf507ca99f746f7adb73438f778689b2fa1ab42c465d47e9b47694f876

SHA512
3bbc10788364dd2fdd837485b3dfabed6ffd1f7802fd284e4c631f87717c4c1477e0ce477f6d45aa9fbf200b3ad199f4d7954a065a31a588991ad75600576c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Crimes

Filesize
58KB

MD5
b1be6a708824ea3c5cf8f36419459271

SHA1
515363b573142ff8f8f8820d54009bf339ceba4e

SHA256
b3dc6542764513d7bd09d6fd8111aa5e0adb0bfa8c401e573d2beafa37a51842

SHA512
2568235fceef6641bab9bf5357454179ef981b18e71ba42b5e59ddd03bcad8b876dd0d1f1337c26102570b769d1457ef1610b45ac6662d4b2684059e6c0ab9a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dependent

Filesize
134KB

MD5
d29780a278bb821507d430c26d3d9824

SHA1
9f4d871d425c67a9803f35ba5a00af00c98ca355

SHA256
a92a07097801202ba0374231c460ec66d54ed9e49a1a26c592c776e8af8f42d8

SHA512
6a2e9b9049c1ebe9cd91f119deb1a2681ac9ac33ecbe5ddf0d54a0f0bf54b8f6c051a48f9d4fa1730f4d3984fa2eb871ea8f4ce5a91df99d78bbc48098a3864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Develops

Filesize
82KB

MD5
29b3c1f2b5e93576f17c06c7aea114e2

SHA1
208c72a09d416443351cd95629839e9f254da1e3

SHA256
727b6c1aab46553efac919f188d688a09e78823afb9476bf20923732b42edb23

SHA512
cdeae4d2887aabff2bf1c05b88741cbe2020fec4fc17872d10e804af1116b8084fd8e6725fe1222b0a9152cd70af2c5337c6aa7215b9ceb6d20712012f05f253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gilbert

Filesize
478KB

MD5
6363bc32cc64e15e84000602f2cdb5c8

SHA1
4e3d079796910b6fac6052be14c0a32bd6f2bddc

SHA256
439e14ff8553551ee16715eaa745d1b3ba184d082728f9a7aa33aa162f38d1bb

SHA512
effe8d1394125d5e635d864aaf52ebb46f60355611154c2112ed1cc626d6daeaf375317609c128473193b2d19bfef9f182d3a9d322b73e23851f49cf3a07e962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Moderators

Filesize
55KB

MD5
b69d2f43603e84922ffd11423ebed1d1

SHA1
176da2a6c3cd00301fff2b056ca694525a40d812

SHA256
928430c45b49db5dbac2819a68a3ccc49e143632f28255653ec34c0d279f694a

SHA512
6231fc45b23153510dc9f9c8016eeb08c91c8d4ebebdafce0ccc1badf9281e13a425a3ca0f9a45092166f985f173a207b680b8410f796006ecffe9d16e74b0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Renewable

Filesize
71KB

MD5
8d50e522d1fadb839f28eb4978c04f5b

SHA1
ee6f6ebf0f06a05c2e5f558af2f8a2408f3a0959

SHA256
a1a2b4af6f5b11c2a10573c00d0bb1260cbe4ec9974adcf7920e857674d47af8

SHA512
3b1d8e688bebd0435ee20d8c2a8df8fb28f02b5fdf690b38b8216868ef6a0b2c83bc18111dfc27185124ee546b3ddaaa20c1ea969829093296270e91880af472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Responsibility

Filesize
119KB

MD5
59e67fbea3f5e29bdb3dea031f008aac

SHA1
d4ce2707414808ca2cb311dc3c128686e87b338f

SHA256
e5b1b696d769798b291c9c9ae93e199409ee61775bca91d7c427a87bf9ad157b

SHA512
b3fe27fdaf4c6e6623fd14b3b8355bcbbebf92ad337cf2b6c71d439dad89ab1e1a87c39372088fd524055a3f0dc268e24454e42d812a63136e6fc93725500d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Saving

Filesize
91KB

MD5
271dbfa98e084e00839eb988c19cf5ff

SHA1
a62fb270d478eff87b60983e105ba3e49c9b3afa

SHA256
2b4303754a2bcdb3a4738db15b2ca242f4419a4d89fae7559767128e328917a5

SHA512
837d051958f1ff33bc2d75309b359d99ecd408ccbe8efbd79cf16c792d9c081abad64d544980813c227fa5fd30a27e9724b3a5187719ad43535c98838cdbf098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Senegal

Filesize
50KB

MD5
16596d3e3f55b1b96cd01c2357d5ca35

SHA1
a9cf8de1fe4fd3dc671c3aaa880c215cd1597a50

SHA256
16fd4e245be6449485bbfa10d0ea76fa741901cb865eabf8ead440b7cbc50bdc

SHA512
61ef64facceb2a8cbec9f5a930bb027c5760520e4bf6ecb5a2f823c0396737de4a977fb929bc551b426c7d90fdd7facb6809635313cd75105245a662743f60d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Separated

Filesize
76KB

MD5
bffa3dd025640bdec6090d5dd3d38113

SHA1
7d337740f2770ed993defe04306f4a7a539ba5f1

SHA256
9a010cff7fd75dde636a7f57caa6a5dba39f4d70a47b001649108b64db468fd7

SHA512
f66365c07e4615fe0120c30963b79564b6f4910b6d6c87b521a017ea516a267e1b69214a338890da60e2db3fcca9a870da5d54e6f8a54d5d427c5a182fb620ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ship

Filesize
77KB

MD5
8dece92d979e5bbc9dd451697e48f590

SHA1
9e754fea613333dba614e7c1520b86549ab11b2e

SHA256
df5ab9e37061fd2c62bb8fdf438312ddda9d0fe6e8f6fba0c537afd8c4580a37

SHA512
03f3f9ae3dbb4b49b4dbb1aa2a1340a274bec9e9a1025c67003102093cb9e4a140be090a11a8c8ac51d4bc9a7209d5e436b853b489d4e3c7aac5145e9b4e0b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Smell

Filesize
2KB

MD5
28169287a48d94fc24e839388f769275

SHA1
32be0226b49ce503033f0f3194b16204eaf61fc6

SHA256
cef1855cf99e444f5570534a0d7bc3388f0a898b61d58b480690cc341b217032

SHA512
f01dbe60c74f16e31ed9420afc5f0644ee51fc05c11a04a31cc7980e20b782729766fb160e2f095b26642d5df99f657d66e5d13b08e72182a2c67139c48f6683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Symphony

Filesize
18KB

MD5
216c911a9e37e1e31e5660bc6c064bf7

SHA1
6e5b3bfd5f4f14fa68694703e0f62bb2185b9a60

SHA256
705626e965a28111cbf72346e4390f4e1f5ff9b79f0ec21e66d629b67ea89f5c

SHA512
90e28f5d2545d66e7461e9a6ff7e47c17611365dd970170a1c56aa17b75a84df9e750c20e4ac2eff49e7afdeea989218659a83d985fda6f905e4f195614a113d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Topless

Filesize
56KB

MD5
8c314f238d6a342215dac20a1d9b079b

SHA1
c7caf344fa1ce67a3c329731de7887746ad93ac9

SHA256
849f35166b415f3d49680392ecf1284010a64448687cddd0870772ea94ea8c39

SHA512
039d5eb052f8bb81fa9a3f92d13820b7d52998de651ee45b6b7db3ac762c299cd475486e0b440a96cbdf6ff7a0068779578bfc3265c24b98e03552665c691854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vancouver

Filesize
51KB

MD5
4bbb05b6dc059ff0ddf3d4e98be07974

SHA1
1b5af37c41f73e5fa75bd946dd123f0a072a4236

SHA256
37f0cf1104ab49803068d87cf532c5e3603d8715a6ea09217aa60e66132fa4c0

SHA512
b248ce37d7673bf1bb114fdff0eb5888192a7f3ad6007b6fada51fcbc1508b7855c18a9949cb995f41fbd3a790a2af2afe91370320f59d91595895bb20f791db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Web

Filesize
90KB

MD5
beed2c760174e58d26028502f94b8c44

SHA1
76d01c3c12cda73a098e55ac3cce48c2156ac445

SHA256
f77376bf49e5b71759cda1127b2db5bd4638138461faf675ac757793a2e0cb69

SHA512
022d3adb491dc5ca27f61aebf33602183a67897190ebb25cd85e41abdc24f089651756773405422a26b19eb6b518124d4866fdd93731d39146f5c16aebfa35c3

Download Submit
C:\Users\Admin\Desktop\New folder\Read me before you start.txt

Filesize
1KB

MD5
1392ee9ea02404bb350ae5e982a16bd3

SHA1
0c29693b09d85220d51d80dab14f2b8d87a0cdce

SHA256
0728664c8aa5805bf9e4ef8fbe84e0833127185a5097bda12b6156a15bcb29ec

SHA512
2c41d21564fa29a3dba2c6055c46896dee98b0af35d21a2fe8369d469bdf7b10111398ee3063c47cd28da694cc0d5e37d7d1f6f494f8819b708eabafffe21cc6

Download Submit
C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.exe

Filesize
1.1MB

MD5
586c45b07a69a89813272e425388029f

SHA1
979e0ccab38b87ac3d3d4c79a6a3d9351179df26

SHA256
41fcac4067db860114a270ffadb6083647ed54bc95e43faf1fffbb23f0cf2a2b

SHA512
b83a662985d4a1165e19bbbb52e10cbaefab972f8a8a5dd65a657b32c29a5d1b69f3c588c41469340538600ecc237a369b7dfca35cca18572511f2b997d1085e

Download Submit
C:\Users\Admin\Desktop\New folder\installer_1.05_36.9.rar

Filesize
17.3MB

MD5
19f6ca66f86dd36182837b1e5845e2c7

SHA1
df171122405698b7dd482a41beb1dbd614168fa4

SHA256
11874068ef0e522730f49d405fd2b66fd54bfd692217ba75b53fcfbbe628e47c

SHA512
40319a21e9e3805ec43a63b75b88018eff9e42558743b8592003560d5d21b179cba319252d5398b41d06dd1bdf56bb99db0d77160e35fd56d97b3bdc78f632b1

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
383KB

MD5
33cecf93517f305d54609584a7d9e6bc

SHA1
5d816ed1ec543865646b78361b6f14fb0dafe33e

SHA256
288ec8500f2661a42ac531d5d7a9dc3d11d77885b3dc63ef2d3a7b75a210b5d1

SHA512
319ed031867f64c9312d8263ff5cdbd7e4c3ff77573224a4963b6ed5a1eac6ce52e607812742895ab996fb0d216daee34b00841b92f0bf6a5d56ff7efbe8a91c

Download Submit
\Users\Admin\Desktop\New folder\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
\Users\Admin\Desktop\New folder\winrar-x64.exe

Filesize
3.6MB

MD5
517023aad9ad2f3200057ce0b704e196

SHA1
7612058b5f0f87327b2957d5da63a2c6e65b0ea1

SHA256
de1d9040786c80f3f40f41c98aa1f6b14fc7b6f2d3db09eceadd340327164f8e

SHA512
bef1b7268d8c2c1f6c900fe392ecf11d2cd518dfa9944fb77c29c2306d20d89052a39c45d689054173ce866be1e93d4b3097131a120cd7567092527e1f50b3e1

Download Submit
memory/1536-265-0x0000000003550000-0x00000000035AC000-memory.dmp

Filesize
368KB

Download
memory/1536-264-0x0000000003550000-0x00000000035AC000-memory.dmp

Filesize
368KB

Download
memory/1536-263-0x0000000003550000-0x00000000035AC000-memory.dmp

Filesize
368KB

Download
memory/1536-262-0x0000000003550000-0x00000000035AC000-memory.dmp

Filesize
368KB

Download
memory/1536-261-0x0000000003550000-0x00000000035AC000-memory.dmp

Filesize
368KB

Download