General Info

File name

winhex.zip

Full analysis
https://app.any.run/tasks/95480ccd-918e-41e4-8d19-cd879b2fe41d
Verdict
Malicious activity
Analysis date
4/15/2019, 07:22:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

61a9a0c13391476c5f23c456f86bfba9

SHA1

f670eac27209a469bd836b00921fdc51631b021f

SHA256

5077181be75d19fed2f2f8e55b7d50a603f9c561fcd9c55bf6141f0ddeb364d6

SSDEEP

49152:N0KRPwJnykbmiFFt5U6HpUB6ihqGhJ3e4Aoz/OjgX/QF90bNnYdwfyShrz:NxRoxyNiFFt5JHCk0qGhZZOsINyyw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • WinHex.exe (PID: 3200)
Application was dropped or rewritten from another process
  • setup.exe (PID: 3168)
  • setup.exe (PID: 3172)
  • WinHex.exe (PID: 3200)
Loads dropped or rewritten executable
  • WinHex.exe (PID: 3200)
Modifies the open verb of a shell class
  • WinHex.exe (PID: 3200)
Executable content was dropped or overwritten
  • setup.exe (PID: 3168)
  • WinRAR.exe (PID: 3004)
Adds / modifies Windows certificates
  • WinHex.exe (PID: 3200)
Creates a software uninstall entry
  • setup.exe (PID: 3168)
Creates files in the program directory
  • setup.exe (PID: 3168)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:04:08 19:08:01
ZipCRC:
0xdefcb594
ZipCompressedSize:
619
ZipUncompressedSize:
1217
ZipFileName:
Boot Sector FAT.tpl

Screenshots

Processes

Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start drop and start start drop and start winrar.exe setup.exe no specs setup.exe winhex.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3004
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\winhex.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\notepad.exe
c:\windows\system32\hhctrl.ocx
c:\windows\hh.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa3004.26820\setup.exe

PID
3172
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\setup.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
X-Ways Software Technology AG
Description
X-Ways setup program
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3004.26820\setup.exe
c:\systemroot\system32\ntdll.dll

PID
3168
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\setup.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
X-Ways Software Technology AG
Description
X-Ways setup program
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3004.26820\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\winhex\winhex.exe
c:\windows\system32\netutils.dll

PID
3200
CMD
"C:\Program Files\WinHex\WinHex.exe"
Path
C:\Program Files\WinHex\WinHex.exe
Indicators
Parent process
setup.exe
User
admin
Integrity Level
HIGH
Version:
Company
X-Ways Software Technology AG
Description
WinHex
Version
19.8
Modules
Image
c:\program files\winhex\winhex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mssvp.dll
c:\windows\system32\imageres.dll
c:\program files\winhex\zlib1.dll
c:\windows\system32\magnify.exe
c:\windows\system32\notepad.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
650
Read events
605
Write events
45
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3004
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\winhex.zip
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3004
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
3004
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\System32\hhctrl.ocx,-452
Compiled HTML Help file
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3168
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinHex
DisplayName
WinHex
3168
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinHex
UninstallString
C:\Program Files\WinHex\WinHex.exe uninst
3168
setup.exe
write
HKEY_CURRENT_USER\Software\X-Ways AG\WinHex
Path
C:\Program Files\WinHex
3168
setup.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\X-Ways AG\WinHex
Path
C:\Program Files\WinHex
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.whs
WHSFile
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHSFile\shell\Open\Command
"C:\Program Files\WinHex\winhex.exe" "%1"
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHSFile
WinHex Script
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHSFile\DefaultIcon
"C:\Program Files\WinHex\winhex.exe",3
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHSFile\shell\Edit\Command
notepad.exe "%1"
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.whx
WHXFile
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHXFile\shell\Open\Command
"C:\Program Files\WinHex\winhex.exe" "%1"
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHXFile
WinHex Backup File
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WHXFile\DefaultIcon
"C:\Program Files\WinHex\winhex.exe",0
3200
WinHex.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Blob
0F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB090000000100000016000000301406082B0601050507030306082B06010505070308140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D80B000000010000001400000055005300450052005400720075007300740000001D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF6708030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D4620000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Blob
0400000001000000100000009414777E3E5EFD8F30BD41B0CFE7D0300F0000000100000014000000BF4D2C390BBF0AA3A2B7EA2DC751011BF5FD422E090000000100000068000000306606082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030806082B06010505070309060A2B0601040182370A030406082B0601050507030606082B0601050507030706082B060105050802020B000000010000005C00000047006F006F0067006C00650020005400720075007300740020005300650072007600690063006500730020002D00200047006C006F00620061006C005300690067006E00200052006F006F0074002000430041002D005200320000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E1400000001000000140000009BE20757671C1EC06A06DE59B49A2DDFDC19862E1D000000010000001000000073621E116224668780B2D2BEE454E52E03000000010000001400000075E0ABB6138512271C04F85FDDDE38E4B7242EFE190000000100000010000000A8827A3CBD2D87D783B59B8062C87E9A2000000001000000BE030000308203BA308202A2A003020102020B0400000000010F8626E60D300D06092A864886F70D0101050500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3036313231353038303030305A170D3231313231353038303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100A6CF240EBE2E6F28994542C4AB3E21549B0BD37F8470FA12B3CBBF875FC67F86D3B2305CD6FDADF17BDCE5F86096099210F5D053DEFB7B7E7388AC52887B4AA6CA49A65EA8A78C5A11BC7A82EBBE8CE9B3AC962507974A992A072FB41E77BF8A0FB5027C1B96B8C5B93A2CBCD612B9EB597DE2D006865F5E496AB5395E8834ECBC780C0898846CA8CD4BB4A07D0C794DF0B82DCB21CAD56C5B7DE1A02984A1F9D39449CB24629120BCDD0BD5D9CCF9EA270A2B7391C69D1BACC8CBE8E0A0F42F908B4DFBB0361BF6197A85E06DF26113885C9FE0930A51978A5ACEAFABD5F7AA09AA60BDDCD95FDF72A960135E0001C94AFA3FA4EA070321028E82CA03C29B8F0203010001A3819C308199300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604149BE20757671C1EC06A06DE59B49A2DDFDC19862E30360603551D1F042F302D302BA029A0278625687474703A2F2F63726C2E676C6F62616C7369676E2E6E65742F726F6F742D72322E63726C301F0603551D230418301680149BE20757671C1EC06A06DE59B49A2DDFDC19862E300D06092A864886F70D01010505000382010100998153871C68978691ECE04AB8440BAB81AC274FD6C1B81C4378B30C9AFCEA2C3C6E611B4D4B29F59F051D26C1B8E983006245B6A90893B9A9334B189AC2F887884EDBDD71341AC154DA463FE0D32AAB6D5422F53A62CD206FBA2989D7DD91EED35CA23EA15B41F5DFE564432DE9D539ABD2A2DFB78BD0C080191C45C02D8CE8F82DA4745649C505B54F15DE6E44783987A87EBBF3791891BBF46F9DC1F08C358C5D01FBC36DB9EF446D7946317E0AFEA982C1FFEFAB6E20C450C95F9D4D9B178C0CE501C9A0416A7353FAA550B46E250FFB4C18F4FD52D98E69B1E8110FDE88D8FB1D49F7AADE95CF2078C26012DB25408C6AFC7E4238406412F79E81E1932E
3200
WinHex.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Blob
190000000100000010000000E843AC3B52EC8C297FA948C9B1FB2819030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D461D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF67080B00000001000000140000005500530045005200540072007500730074000000140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D8090000000100000016000000301406082B0601050507030306082B060105050703080F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB20000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8

Files activity

Executable files
10
Suspicious files
4
Text files
38
Unknown types
9

Dropped files

PID
Process
Filename
Type
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Chinese.dat
executable
MD5: 833ab5b37febb906dbfa095b8793d46e
SHA256: bf96bcd2180b7d5f1c5c50d1f3d146160b8a1ad642c0049c8cf283ec5bf1a172
3168
setup.exe
C:\Program Files\WinHex\Chinese.dat
executable
MD5: 833ab5b37febb906dbfa095b8793d46e
SHA256: bf96bcd2180b7d5f1c5c50d1f3d146160b8a1ad642c0049c8cf283ec5bf1a172
3168
setup.exe
C:\Program Files\WinHex\setup.exe
executable
MD5: f9fff8a09677b57ae59fe976909a549d
SHA256: 311cfa80c051465a9c2ab1913898d14380dcb2d244d814217e11e7cc390c480a
3168
setup.exe
C:\Program Files\WinHex\winhex.exe
executable
MD5: 45ab7ccedc1db1a534fa65b614dba366
SHA256: e0b73752c0c945b986a426ee0526d232121fc9e2b422950ada5a838de5051217
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\winhex.exe
executable
MD5: 45ab7ccedc1db1a534fa65b614dba366
SHA256: e0b73752c0c945b986a426ee0526d232121fc9e2b422950ada5a838de5051217
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\zlib1.dll
executable
MD5: 1a4ce8c5d91c65c8a557f55960340911
SHA256: 6fee3797819384b70bddc8868c2b8a1112900206a21ae8b85588f62bb41b82e1
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\setup.exe
executable
MD5: f9fff8a09677b57ae59fe976909a549d
SHA256: 311cfa80c051465a9c2ab1913898d14380dcb2d244d814217e11e7cc390c480a
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Dokan.exe
executable
MD5: b2e209833057cc4780209a6002c45d12
SHA256: 3d676ce6e3a12c14f275b03f64d73d49463a0ff946a5f661b603559025e71a84
3168
setup.exe
C:\Program Files\WinHex\zlib1.dll
executable
MD5: 1a4ce8c5d91c65c8a557f55960340911
SHA256: 6fee3797819384b70bddc8868c2b8a1112900206a21ae8b85588f62bb41b82e1
3168
setup.exe
C:\Program Files\WinHex\Dokan.exe
executable
MD5: b2e209833057cc4780209a6002c45d12
SHA256: 3d676ce6e3a12c14f275b03f64d73d49463a0ff946a5f661b603559025e71a84
3168
setup.exe
C:\Program Files\WinHex\File Type Signatures Search.txt
text
MD5: c0d59b7ae0452fdca6267d7d856a214f
SHA256: 356b465da50c49b22893c836db8126a7f40f92d82c7d3f7074d33cdfa01ef975
3168
setup.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: 728a902efc9a17c74aee05a32cbb7451
SHA256: b9d84bcb177c2d05cf0fdccb54874b99fca69e5e966cfd1c6ee86deb9c44c77c
3168
setup.exe
C:\Program Files\WinHex\language.dat
binary
MD5: 486d8b7cdb6d015d043c7807a89afae7
SHA256: dd81b54bbb6b9531b2e1a84611dda2fd8ecb8f7df72b1f70103a2f75d7382c78
3168
setup.exe
C:\ProgramData\Microsoft\Windows\Start Menu\WinHex.lnk
lnk
MD5: 2cccd16a19decbef5c11b6fb6c8c77e4
SHA256: fc4d05f8ecb3c75516497c45188b399dca16851952ce5ab7f1a508824694b398
3168
setup.exe
C:\Program Files\WinHex\winhex-d.chm
chm
MD5: 685b868ce3b8703c9778efa0f567134e
SHA256: a938290a0044c6910bf9c8da39656013cfaa89d16160d83f259b327a1dfe4bdd
3168
setup.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: d7decb619915c0e0386660f57d7db64c
SHA256: 17c538d9a03e1e2892ee57c6e8322afcc2c07283f5fe6edb41a9f2074124046f
3168
setup.exe
C:\Program Files\WinHex\FAT Directory Entry.tpl
text
MD5: dff5148c4020973c538331501435a137
SHA256: 832039763cb2e837cd48f24b9a44c6a928702a472c77d4ca847f140c2cd83c84
3168
setup.exe
C:\Program Files\WinHex\Ext Superblock.tpl
text
MD5: b99ad269c6201cf7b897375ebe330bbf
SHA256: 4706b2def17ed1e91e559aa920998fc461a7d3bfc7c37707f04636f2798ca056
3168
setup.exe
C:\Program Files\WinHex\Ext Directory Entry.tpl
text
MD5: 7d02e2ee25c47b445bc99777dd279a2c
SHA256: 2b23038af1df80b7f404ae0c3e03dfa3dece95185ee1275d1be7e5533fa60a42
3168
setup.exe
C:\Program Files\WinHex\Ext Inode.tpl
text
MD5: 1d289762e99b093df7f9cd6290ec997c
SHA256: 3bf09a19e830f142ad19525479ee25a1595d1343fc45368975a1435ea9885cba
3168
setup.exe
C:\Program Files\WinHex\HFS+ Volume Header.tpl
text
MD5: 50885aa828c69ec6e50211ba33039084
SHA256: 8cd31e3896894153574b810172e6d88a5d6f035baa83a31a0d798b5cb94043dc
3168
setup.exe
C:\Program Files\WinHex\GUID Partition Table.tpl
text
MD5: af38485b532c05e033aa3594f072373c
SHA256: 997d492ee269c23576037bec2fcec0df71a464c51ee5e851e565de24afda50a9
3168
setup.exe
C:\Program Files\WinHex\FAT LFN Entry.tpl
text
MD5: fa99067fc052f38798d55aa520b56eae
SHA256: 4b36dc865d28928f030b5ef58139f5ae61212821a283a5147c5fa6ec1683d5a4
3168
setup.exe
C:\Program Files\WinHex\Ext Group Descriptor.tpl
text
MD5: ff950548020e68c9ecc737959623d163
SHA256: 1705edf4117c3c3dfbae8f76d268437ec27ff8ad2ac7fc4dd4c8616fbb7825e1
3168
setup.exe
C:\Program Files\WinHex\Russian.txt
text
MD5: 713a429643bb3e2466e62e0b0d9732f4
SHA256: 47b09b9dd9f8420de9c167f3451f51dc35419ac5334d666a0c9753b17fb8fcf3
3168
setup.exe
C:\Program Files\WinHex\Boot Sector FAT32.tpl
text
MD5: 42b5387be8b65cc1ae1fd77a3fa7c1d9
SHA256: 6a7df566070f7ce6d1778c9932b231e2916ae7e7f26eb009378b6a8db9d169a8
3168
setup.exe
C:\Program Files\WinHex\Boot Sector NTFS.tpl
text
MD5: fa31d4e4fc767bda92dd25734629445c
SHA256: c221d32e6360dffe0272ddf5411c853ce7f056cce10e955ab589afc2fcd784fc
3168
setup.exe
C:\Program Files\WinHex\Boot Sector FAT.tpl
text
MD5: b62f0723a54d3f41160abc8df575b635
SHA256: 4b16a526faecee899f97547a2fe05b7513de6a6c4f807c9f6623c94ec4d2c5ec
3168
setup.exe
C:\Program Files\WinHex\Chinese.txt
text
MD5: cb1c4125f7a7c8201c3b2da95d57d907
SHA256: 99581218c7b2d23ae939b23c9214ff37e4eb835458060e8c5269cc19cff82dd6
3168
setup.exe
C:\Program Files\WinHex\Text file conversion Windows - UNIX.whs
text
MD5: 514123ac4dfebbe07203caae3666d7f7
SHA256: 69ad006980223c3b5200fbe2e72763b7b198a95b1bfaf7d62c969f4585319942
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Boot Sector FAT32.tpl
text
MD5: 42b5387be8b65cc1ae1fd77a3fa7c1d9
SHA256: 6a7df566070f7ce6d1778c9932b231e2916ae7e7f26eb009378b6a8db9d169a8
3168
setup.exe
C:\Program Files\WinHex\Text file conversion UNIX - Windows.whs
text
MD5: f0ebf536a6fe6138cb8c1ae093a04156
SHA256: df97e3931040e814981ce5df601cd6c8e717c7dbbfd2de852a9fc61ecdc48df0
3168
setup.exe
C:\Program Files\WinHex\Sample script.whs
text
MD5: cfb2cb5eeda9faea0ca4cddd02cf357d
SHA256: 7ff8c33efcb86d159bc0c596256463cd825c61ecde3242d4372a0df2f52761af
3168
setup.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: f4c3b0f81bfc9017e2df498092dd22e5
SHA256: 86aee45f3bf9d58fc6c9270840e77192d827cdbd3fe1538db368957135e49ea4
3168
setup.exe
C:\Program Files\WinHex\timezone.dat
binary
MD5: 81433e967d229b42ab4c1b55c01c3f9b
SHA256: 8bc05b3f5652cce6ca30da7bc146ca193fef76cbd4fd83ebc6935145773b221d
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\winhex-d.chm
chm
MD5: 685b868ce3b8703c9778efa0f567134e
SHA256: a938290a0044c6910bf9c8da39656013cfaa89d16160d83f259b327a1dfe4bdd
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\winhex.chm
chm
MD5: ed11b3ee6e4cae744c10c44cda40fb82
SHA256: f9b87383e0bf304b28c430dad0f5d5031b527ac4e4acce33ef03e10fe90ad725
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\NTFS FILE Record.tpl
text
MD5: c93fd6f1834abee78a70a5beb584d754
SHA256: 6ecf91001a559202201f8ba1f59fe39140772e5b3c0f7db500ef9240549a4f21
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Russian.txt
text
MD5: 713a429643bb3e2466e62e0b0d9732f4
SHA256: 47b09b9dd9f8420de9c167f3451f51dc35419ac5334d666a0c9753b17fb8fcf3
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Sample script.whs
text
MD5: cfb2cb5eeda9faea0ca4cddd02cf357d
SHA256: 7ff8c33efcb86d159bc0c596256463cd825c61ecde3242d4372a0df2f52761af
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Text file conversion UNIX - Windows.whs
text
MD5: f0ebf536a6fe6138cb8c1ae093a04156
SHA256: df97e3931040e814981ce5df601cd6c8e717c7dbbfd2de852a9fc61ecdc48df0
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\timezone.dat
binary
MD5: 81433e967d229b42ab4c1b55c01c3f9b
SHA256: 8bc05b3f5652cce6ca30da7bc146ca193fef76cbd4fd83ebc6935145773b221d
3168
setup.exe
C:\Program Files\WinHex\NTFS FILE Record.tpl
text
MD5: c93fd6f1834abee78a70a5beb584d754
SHA256: 6ecf91001a559202201f8ba1f59fe39140772e5b3c0f7db500ef9240549a4f21
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Text file conversion Windows - UNIX.whs
text
MD5: 514123ac4dfebbe07203caae3666d7f7
SHA256: 69ad006980223c3b5200fbe2e72763b7b198a95b1bfaf7d62c969f4585319942
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\GUID Partition Table.tpl
text
MD5: af38485b532c05e033aa3594f072373c
SHA256: 997d492ee269c23576037bec2fcec0df71a464c51ee5e851e565de24afda50a9
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\language.dat
binary
MD5: 486d8b7cdb6d015d043c7807a89afae7
SHA256: dd81b54bbb6b9531b2e1a84611dda2fd8ecb8f7df72b1f70103a2f75d7382c78
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\File Type Signatures Search.txt
text
MD5: c0d59b7ae0452fdca6267d7d856a214f
SHA256: 356b465da50c49b22893c836db8126a7f40f92d82c7d3f7074d33cdfa01ef975
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\HFS+ Volume Header.tpl
text
MD5: 50885aa828c69ec6e50211ba33039084
SHA256: 8cd31e3896894153574b810172e6d88a5d6f035baa83a31a0d798b5cb94043dc
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Master Boot Record.tpl
text
MD5: 2994b4fd513a4bd3aeeed65abcf169e1
SHA256: 92d1f63048c0518b04a7e417d9a6218a9e08643490938bb0034b706d6fd55dea
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\FAT LFN Entry.tpl
text
MD5: fa99067fc052f38798d55aa520b56eae
SHA256: 4b36dc865d28928f030b5ef58139f5ae61212821a283a5147c5fa6ec1683d5a4
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Ext Inode.tpl
text
MD5: 1d289762e99b093df7f9cd6290ec997c
SHA256: 3bf09a19e830f142ad19525479ee25a1595d1343fc45368975a1435ea9885cba
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Ext Superblock.tpl
text
MD5: b99ad269c6201cf7b897375ebe330bbf
SHA256: 4706b2def17ed1e91e559aa920998fc461a7d3bfc7c37707f04636f2798ca056
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\FAT Directory Entry.tpl
text
MD5: dff5148c4020973c538331501435a137
SHA256: 832039763cb2e837cd48f24b9a44c6a928702a472c77d4ca847f140c2cd83c84
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Ext Group Descriptor.tpl
text
MD5: ff950548020e68c9ecc737959623d163
SHA256: 1705edf4117c3c3dfbae8f76d268437ec27ff8ad2ac7fc4dd4c8616fbb7825e1
3168
setup.exe
C:\Program Files\WinHex\Master Boot Record.tpl
text
MD5: 2994b4fd513a4bd3aeeed65abcf169e1
SHA256: 92d1f63048c0518b04a7e417d9a6218a9e08643490938bb0034b706d6fd55dea
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Chinese.txt
text
MD5: cb1c4125f7a7c8201c3b2da95d57d907
SHA256: 99581218c7b2d23ae939b23c9214ff37e4eb835458060e8c5269cc19cff82dd6
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Ext Directory Entry.tpl
text
MD5: 7d02e2ee25c47b445bc99777dd279a2c
SHA256: 2b23038af1df80b7f404ae0c3e03dfa3dece95185ee1275d1be7e5533fa60a42
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Boot Sector NTFS.tpl
text
MD5: fa31d4e4fc767bda92dd25734629445c
SHA256: c221d32e6360dffe0272ddf5411c853ce7f056cce10e955ab589afc2fcd784fc
3168
setup.exe
C:\Program Files\WinHex\winhex.chm
chm
MD5: ed11b3ee6e4cae744c10c44cda40fb82
SHA256: f9b87383e0bf304b28c430dad0f5d5031b527ac4e4acce33ef03e10fe90ad725
3004
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3004.26820\Boot Sector FAT.tpl
text
MD5: b62f0723a54d3f41160abc8df575b635
SHA256: 4b16a526faecee899f97547a2fe05b7513de6a6c4f807c9f6623c94ec4d2c5ec
3168
setup.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: 286555f793ef3f5e61c873c680147432
SHA256: 4eb10e8f44754d3294fe22aeee7d197cb99de9cf331e323fe05386aa12088be6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3200 WinHex.exe 172.217.16.163:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
google.de 172.217.16.163
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.