Analysis
-
max time kernel
884s -
max time network
887s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
14-01-2023 05:20
General
-
Target
hood fighting.lua
-
Size
581B
-
MD5
19c677bb8cda5703f42c143bb4251e6a
-
SHA1
ad85336a7304a4e58b2a4f5c40b02f578aa00923
-
SHA256
d37e1cf29ba447f8d5e8f3e27be0485c986115b8280bbd5b9c57bbfe70beccd5
-
SHA512
c82d72dbd5e5d015a27334f27319ee4deb575800ae9a9f5755b7d1a0e165c7cd7883039ebf9ec0c205e1fedc26c2d68f3762893e6e369e2ebb5c565eb567ad74
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\WinRAR\Rar.txt
Ransom Note
User's Manual
~~~~~~~~~~~~~
RAR 6.11 console version
~~~~~~~~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Welcome to the RAR Archiver!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Introduction
~~~~~~~~~~~~
RAR is a console application allowing to manage archive files
in command line mode. RAR provides compression, encryption,
data recovery and many other functions described in this manual.
RAR supports only RAR format archives, which have .rar file name
extension by default. ZIP and other formats are not supported.
Even if you specify .zip extension when creating an archive, it will
still be in RAR format. Windows users may install WinRAR, which supports
more archive types including RAR and ZIP formats.
WinRAR provides both graphical user interface and command line mode.
While console RAR and GUI WinRAR have the similar command line syntax,
some differences exist. So it is recommended to use this rar.txt manual
for console RAR (rar.exe in case of Windows version) and winrar.chm
WinRAR help file for GUI WinRAR (winrar.exe).
Configuration file
~~~~~~~~~~~~~~~~~~
RAR and UnRAR for Unix read configuration information from .rarrc file
in a user's home directory (stored in HOME environment variable)
or in /etc directory.
RAR and UnRAR for Windows read configuration information from rar.ini file,
placed in the same directory as the rar.exe file.
This file can contain the following string:
switches=<any RAR switches separated by spaces>
For example:
switches=-m5 -s
It is also possible to specify separate switch sets for individual
RAR commands using the following syntax:
switches_<command>=<any RAR switches separated by spaces>
For example:
switches_a=-m5 -s
switches_x=-o+
Environment variable
~~~~~~~~~~~~~~~~~~~~
Default parameters may be added to the RAR command line by establishing
an environment variable "RAR".
For instance, in Unix following lines may be added to your profile:
RAR='-s -md1024'
export RAR
RAR will use this string as default parameters in the command line and
will create "solid" archives with 1024 MB sliding dictionary size.
RAR handles options with priority as following:
command line switches highest priority
switches in the RAR variable lower priority
switches saved in configuration file lowest priority
Log file
~~~~~~~~
If switch -ilog is specified in the command line or configuration file,
RAR will write informational messages about errors encountered while
processing archives into a log file. Read the switch -ilog description
for more details.
The file order list for solid archiving - rarfiles.lst
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rarfiles.lst contains a user-defined file list, which tells RAR
the order in which to add files to a solid archive. It may contain
file names, wildcards and special entry - $default. The default
entry defines the place in order list for files not matched
with other entries in this file. The comment character is ';'.
In Windows this file should be placed in the same directory as RAR
or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory
or in /etc.
Tips to provide improved compression and speed of operation:
- similar files should be grouped together in the archive;
- frequently accessed files should be placed at the beginning.
Normally masks placed nearer to the top of list have a higher priority,
but there is an exception from this rule. If rarfiles.lst contains such
two masks that all files matched by one mask are also matched by another,
that mask which matches a smaller subset of file names will have higher
priority regardless of its position in the list. For example, if you have
*.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of
'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'.
RAR command line syntax
~~~~~~~~~~~~~~~~~~~~~~~
Syntax
RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ]
[ <files...> ] [ <path_to_extract\> ]
Description
Command is a single character or string specifying an action to be
performed by RAR. Switches are designed to modify the way RAR performs
such action. Other parameters are archive name and files to be archived
or extracted.
Listfiles are plain text files containing names of files to process.
File names must start at the first column. It is possible to
put comments to the listfile after // characters. For example,
you can create backup.lst containing the following strings:
c:\work\doc\*.txt //backup text documents
c:\work\image\*.bmp //backup pictures
c:\work\misc
and then run:
rar a backup @backup.lst
If you wish to read file names from stdin (standard input),
specify the empty listfile name (just @).
By default, console RAR uses the single byte encoding in list files,
but it can be redefined with -sc<charset>l switch.
You can specify both usual file names and list files in the same
command line. If neither files nor listfiles are specified,
then *.* is implied and RAR will process all files.
path_to_extract includes the destination directory name followed by
a path separator character. For example, it can be c:\dest\ in Windows
or data/ in Unix. It specifies the directory to place extracted files
in 'x' and 'e' commands. This directory is created by RAR if it does not
exist yet. Alternatively it can be set with -op<path> switch.
Many RAR commands, such as extraction, test or list, allow to use
wildcards in archive name. If no extension is specified in archive
mask, RAR assumes .rar, so * means all archives with .rar extension.
If you need to process all archives without extension, use *. mask.
*.* mask selects all files. Wildcards in archive name are not allowed
when archiving and deleting.
In Unix you need to enclose RAR command line parameters containing
wildcards in single or double quotes to prevent their expansion
by Unix shell. For example, this command will extract *.asm files
from all *.rar archives in current directory:
rar e '*.rar' '*.asm'
Command could be any of the following:
a Add files to archive.
Examples:
1) add all *.hlp files from the current directory to
the archive help.rar:
rar a help *.hlp
2) archive all files from the current directory and subdirectories
to 362000 bytes size solid, self-extracting volumes
and add the recovery record to each volume:
rar a -r -v362 -s -sfx -rr save
Because no file names are specified, all files (*) are assumed.
3) as a special exception, if directory name is specified as
an argument and if directory name does not include file masks
and trailing path separator, the entire contents of the directory
and all subdirectories will be added to the archive even
if switch -r is not specified.
The following command will add all files from the directory
Bitmaps and its subdirectories to the RAR archive Pictures.rar:
rar a Pictures.rar Bitmaps
4) if directory name includes the trailing path separator,
normal rules apply and you need to specify switch -r to process
its subdirectories.
The following command will add all files from directory Bitmaps,
but not from its subdirectories, because switch -r is not
specified:
rar a Pictures.rar Bitmaps\*
c Add archive comment. Comments are displayed while the archive is
being processed. Comment length is limited to 256 KB.
Examples:
rar c distrib.rar
Also comments may be added from a file using -z[file] switch.
The following command adds a comment from info.txt file:
rar c -zinfo.txt dummy
ch Change archive parameters.
This command can be used with most of archive modification
switches to modify archive parameters. It is especially
convenient for switches like -cl, -cu, -tl, which do not
have a dedicated command.
It is not able to recompress, encrypt or decrypt archive data
and it cannot merge or create volumes. If used without any
switches, 'ch' command just copies the archive data without
modification.
Example:
Set archive time to latest file:
rar ch -tl files.rar
cw Write archive comment to specified file.
Format of output file depends on -sc switch.
If output file name is not specified, comment data will be
sent to stdout.
Examples:
1) rar cw arc comment.txt
2) rar cw -scuc arc unicode.txt
3) rar cw arc
d Delete files from archive. If this command removes all files
from archive, the empty archive is removed.
e Extract files without archived paths.
Extract files excluding their path component, so all files
are created in the same destination directory.
Use 'x' command if you wish to extract full pathnames.
Example:
rar e -or html.rar *.css css\
extract all *.css files from html.rar archive to 'css' directory
excluding archived paths. Rename extracted files automatically
in case several files have the same name.
f Freshen files in archive. Updates archived files older
than files to add. This command will not add new files
to the archive.
i[i|c|h|t]=<string>
Find string in archives.
Supports following optional parameters:
i - case insensitive search (default);
c - case sensitive search;
h - hexadecimal search;
t - use ANSI, UTF-8, UTF-16 and OEM (Windows only)
character tables;
If no parameters are specified, it is possible to use
the simplified command syntax i<string> instead of i=<string>
It is allowed to specify 't' modifier with other parameters,
for example, ict=string performs case sensitive search
using all mentioned above character tables.
Examples:
1) rar "ic=first level" -r c:\*.rar *.txt
Perform case sensitive search of "first level" string
in *.txt files in *.rar archives on the disk c:
2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar
Search for hex string f0 e0 ae ae ab 2d 83 e3 a9
in rar archives in e:\texts directory.
k Lock archive.
RAR cannot modify locked archives, so locking important archives
prevents their accidental modification by RAR. Such protection
might be especially useful in case of RAR commands processing
archives in groups.
This command is not intended or able to prevent modification
by other tools or willful third party. It implements a safety
measure only for accidental data change by RAR.
Example:
rar k final.rar
l[t[a],b]
List archive contents [technical [all], bare].
'l' command lists archived file attributes, size, date,
time and name, one file per line. If file is encrypted,
line starts from '*' character.
'lt' displays the detailed file information in multiline mode.
This information includes file checksum value, host OS,
compression options and other parameters.
'lta' provide the detailed information not only for files,
but also for service headers like NTFS streams
or file security data.
'lb' lists bare file names with path, one per line,
without any additional information.
You can use -v switch to list contents of all volumes
in volume set: rar l -v vol.part1.rar
Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta'
and 'vb' correspondingly.
m[f] Move to archive [files only]. Moving files and directories
results in the files and directories being erased upon
successful completion of the packing operation. Directories will
not be removed if 'f' modifier is used and/or '-ed' switch is
applied.
p Print file to stdout.
Send unpacked file data to stdout. Informational messages
are suppressed with this command, so they are not mixed
with file data.
r Repair archive. Archive repairing is performed in two stages.
First, the damaged archive is searched for a recovery record
(see 'rr' command). If archive contains the previously added
recovery record and if damaged data area is continuous
and smaller than error correction code size in recovery record,
chance of successful archive reconstruction is high.
When this stage has been completed, a new archive is created,
named as fixed.arcname.rar, where 'arcname' is the original
(damaged) archive name.
If broken archive does not contain a recovery record or if
archive is not completely recovered due to major damage,
second stage is performed. During this stage only the archive
structure is reconstructed and it is impossible to recover
files which fail checksum validation, it is still possible,
however, to recover undamaged files, which were inaccessible
due to the broken archive structure. Mostly this is useful
for non-solid archives. This stage is never efficient
for archives with encrypted file headers, which can be repaired
only if recovery record is present.
When the second stage is completed, the reconstructed archive
is saved as rebuilt.arcname.rar, where 'arcname' is
the original archive name.
By default, repaired archives are created in the current
directory, but you can append an optional destpath\ parameter
to specify another destination directory.
Example:
rar r buggy.rar c:\fixed\
repair buggy.rar and place the result to 'c:\fixed' directory.
rc Reconstruct missing and damaged volumes using recovery volumes
(.rev files). You need to specify any existing .rar or .rev
volume as the archive name.
Example:
rar rc backup.part03.rar
Read 'rv' command description for information about
recovery volumes.
rn Rename archived files.
The command syntax is:
rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN>
For example, the following command:
rar rn data.rar readme.txt readme.bak info.txt info.bak
will rename readme.txt to readme.bak and info.txt to info.bak
in the archive data.rar.
It is allowed to use wildcards in the source and destination
names for simple name transformations
Emails
-n@inclist.txt
Extracted
Path
C:\Program Files\WinRAR\WhatsNew.txt
Ransom Note
WinRAR - What's new in the latest version
Version 6.11
1. Added support for Gz archives with large archive comments.
Previously the extraction command failed to unpack gz archives
if comment size exceeded 16 KB.
2. Archive comments in gz archives are displayed in the comment window
and recognized by "Show information" command. Large comments are
shown partially.
Previous versions didn't display Gzip comments.
3. Reserved device names followed by file extension, such as aux.txt,
are extracted as is in Windows 11 even without "Allow potentially
incompatible names" option or -oni command line switch.
Unlike previous Windows versions, Windows 11 treats such names
as usual files.
Device names without extension, such as aux, still require these
options to be unpacked as is regardless of Windows version.
4. Switch -mes can be also used to suppress the password prompt
and abort when adding files to encrypted solid archive.
5. Additional measures to prevent extracting insecure links are
implemented.
6. Bugs fixed:
a) if password exceeding 127 characters was entered when unpacking
an encrypted archive with console RAR, text after 127th character
could be erroneously recognized as user's input by different
prompts issued later;
b) wrong archived file time could be displayed in overwrite prompt
when extracting a file from ZIP archive. It happened if such
archive included extended file times and was created in another
time zone. It didn't affect the actual file time, which was set
properly upon extraction.
Version 6.10
1. WinRAR can unpack contents of .zst and .zipx archives utilizing
Zstandard algorithm.
2. Added support of Windows 11 Explorer context menus.
Beginning from Windows 11, an application can add only a single top
level command or submenu to Explorer context menu.
If "Cascaded context menus" in "Integration settings" dialog is on,
this single item is a submenu storing all necessary WinRAR commands.
If this option is off, only one extraction command for archives
and one archiving command for usual files are available.
You can select these commands with "Context menu items..." button
in "Integration settings" dialog.
3. "Legacy context menus" option in "Settings/Integration" dialog
can be used in Windows 11 if WinRAR commands are missing in
"Show more options" Windows legacy context menu or in context menus
of third party file managers. If WinRAR commands are already present
here, keep "Legacy context menus" option turned off to prevent
duplicating them.
This option is not available in Windows 10 and older.
4. Windows XP is not supported anymore. Minimum required operating
system version is Windows Vista.
5. "Close" item is added to "When done" list on "Advanced" page of
archiving dialog. It closes WinRAR window, when archiving is done.
6. "When done" list is added to "Options" page of extraction dialog.
It allows to select an action like turning a computer off
or closing WinRAR after completing extraction.
7. Switch -si can be used when extracting or testing to read archive
data from stdin, such as:
type docs.rar | rar x -si -o+ -pmypwd dummy docs\
Even though the archive name is ignored with this switch,
an arbitrary dummy archive name has to specified in the command line.
Operations requiring backward seeks are unavailable in this mode.
It includes displaying archive comments, testing the recovery record,
utilizing the quick open information, processing multivolume archives.
Prompts requiring user interaction are not allowed.
Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts.
8. New -ep4<path> switch excludes the path prefix when archiving
or extracting if this path is found in the beginning of archived name.
Path is compared with names already prepared to store in archive,
without drive letters and leading path separators. For example:
rar a -ep4texts\books archive c:\texts\books\technical
removes "text\books" from archived names, so they start
from 'technical'.
9. New -mes switch skips encrypted files when extracting or testing.
It replaces the former -p- switch.
10. New -op<path> switch sets the destination folder for 'x' and 'e'
extraction commands. Unlike <path_to_extract\> command line parameter,
this switch also accepts paths without trailing path separator
character.
11. If 'p' command is used to print a file to stdout, informational
messages are suppressed automatically to prevent them mixing
with file data.
12. "Generate archive name by mask" option and switch -ag treat only
first two 'M' characters after 'H' as minutes. Previously any
amount of such characters was considered as minutes.
It makes possible to place the time field before the date,
like -agHHMM-DDMMYY. Previous versions considered all 'M'
in this string as minutes.
13. Maximum allowed size of RAR5 recovery record is increased to 1000%
of protected data size. Maximum number of RAR5 recovery volumes
can be 10 times larger than protected RAR volumes.
Previous WinRAR versions are not able to use the recovery record
to repair broken archives if recovery record size exceeds 99%.
Similarly, previous versions cannot use recovery volumes
if their number is equal or larger than number of RAR volumes.
14. Warning is issued if entered password exceeds the allowed limit
of 127 characters and is truncated. Previously such passwords
had been truncated silently.
15. If archive includes reserved device names, the underscore character
is inserted in the beginning of such names when extracting.
For example, aux.txt is converted to _aux.txt. It is done to prevent
compatibility problems with software unable to process such names.
You can use "Allow potentially incompatible names" option
in "Advanced" part of extraction dialog or command line -oni switch
to avoid this conversion.
16. WinRAR attempts to reset the file cache before testing an archive.
It helps to verify actual data written to disk instead of reading
a cached copy.
17. Multiple -v<size> switches specifying different sizes for different
volumes are now allowed also for ZIP archives:
WinRAR a -v100k -v200k -v300k arcname.zip
Previously multiple -v<size> switches were supported only for
RAR archives.
18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command
line mode when extracting archives in any supported formats,
provided that such archive includes unpacked file sizes.
Previously these switches could filter files by size only in RAR
and ZIP archives.
19. Newer folder selection dialog is invoked when pressing "Browse" button
in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands,
also as in few other similar places. Previously a simpler XP style
folder selection dialog was opened.
20. When restoring from tray after completing an operation,
WinRAR window is positioned under other opened windows,
to not interfere with current user activities.
21. "650 MB CD" is removed and "2 GB volumes" is added to the list of
predefined volume sizes in "Define volume sizes" dialog invoked
from WinRAR "Settings/Compression".
22. "Rename" command selects the file name part up to the final dot.
Previously it selected the entire name.
23. If SFX archive size exceeds 4 GB, an error message is issued
during compression, immediately after exceeding this threshold.
Previously this error was reported only after completing compression.
Executables of such size cannot be started by Windows.
24. Command line -en switch is not supported anymore.
It created RAR4 archives without the end of archive record.
End of archive record permits to gracefully skip external data
like digital signatures.
25. Bugs fixed:
a) when editing a file inside of .rar or .zip archive,
WinRAR created a new SFX archive instead of updating an existing
archive if "Create SFX archive" option was set in the default
compression profile;
b) the total progress could be displayed incorrectly when using
-oi, -f, -u switches or appropriate GUI options;
c) "Find files" command with "Use all tables" option and command line
"it" commands failed to find strings in UTF-16 encoding.
Version 6.02
1. ZIP SFX module refuses to process SFX commands stored in archive
comment if such comment is resided after beginning of Authenticode
digital signature. It is done to prevent possible attacks with
inclusion of ZIP archive into the signature body.
We already prohibited extracting contents of such malformed archives
in WinRAR 6.01.
We are thankful to Jacob Thompson - Mandiant Advantage Labs
for reporting this issue.
2. WinRAR uses https instead of http in the web notifier window,
home page and themes links. It also implements additional checks
within the web notifier. This is done to prevent a malicious web page
from executing existing files on a user's computer. Such attack
is only possible if the intruder has managed to spoof or otherwise
control user's DNS records. Some other factors are also involved
in limiting the practical application of this attack.
We would like to express our gratitude to Igor Sak-Sakovskiy
for bringing this issue to our attention.
3. Where appropriate, SFX archive displays the additional line
with detailed error information provided by operating system.
For example, previously such archive would display "Cannot create file"
message alone. Now this message is followed by a detailed reason
like access denied or file being used by another process.
In the past this extended error information was available in WinRAR,
but not in SFX archives.
4. Switch -idn hides archived names also in 'v' and 'l' commands.
It can be useful if only the archive type or total information
is needed.
5. If -ibck -ri<priority> switches are used together, WinRAR process
sets the priority specified in -ri switch. Previous versions ignored
-ri and set the priority to low in the presence of -ibck switch.
6. When using "File/Change drive" command, WinRAR saves the last folder
of previous drive and restores it if that drive is selected again
later.
7. Name of unpacking file is now included into WinRAR incorrect password
warning for RAR5 archives. It can be helpful when unpacking
a non-solid archive containing files encrypted with different passwords.
8. Bugs fixed:
a) "Convert archives" command issued erroneous "The specified password
is incorrect" message after succesfully converting RAR archive
with encrypted file names if new password was set and archive
was opened in WinRAR shell;
b) if command progress window was resized up and then quickly resized
down to original dimensions, window contents could be positioned
incorrectly.
Version 6.01
1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment
window.
2. If -idn switch is used together with -t or -df in console RAR
when archiving, it additionally disables "Deleting <filename>"
or "Testing <filename>" messages, normally issued by these switches.
Also -idn disables folder creation messages when extracting
a file to non-existing folder.
3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX
archives if ZIP central directory is resided after beginning
of Authenticode digital signature. It is done to prevent possible
attacks with inclusion of ZIP archive into signature body.
4. Bugs fixed:
a) "Convert archives" command could incorrectly convert Unicode
comments in RAR archives.
b) if two archive information windows had been opened from Explorer
context menu, the compression ratio bar in the first window
could erroneously display a value for second archive.
It did not affect the ratio and other text details at the right
of window. Only the vertical bar at the left could be updated
to a wrong value;
c) if "Wait if other WinRAR copies are active" option was enabled
in extraction dialog, "Waiting for another WinRAR copy" title
was not set in command progress window while waiting;
d) when extracting a symbolic link, previous versions did not
overwrite existing symbolic links even if user requested it
in overwrite prompt.
Version 6.00
1. "Ignore" and "Ignore All" options are added to read error prompt.
"Ignore" allows to continue processing with already read file part
only and "Ignore All" does it for all future read errors.
For example, if you archive a file, which portion is locked by another
process, and if "Ignore" is selected in read error prompt,
only a part of file preceding the unreadable region will be saved
into archive.
It can help to avoid interrupting lengthy archiving operations,
though be aware that files archived with "Ignore" are incomplete.
If switch -y is specified, "Ignore" is applied to all files by default.
Previously available "Retry" and "Quit" options are still present
in read error prompt as well.
2. Exit code 12 is returned in the command line mode in case of read errors.
This code is returned for all options in the read error prompt,
including a newly introduced "Ignore" option.
Previously more common fatal error code 2 was returned for read errors.
3. If several archives are selected, "Extract archives to" option group
in "Options" page of extraction dialog can be used to place extracted
files to specified destination folder, to separate subfolders
in destination folder, to separate subfolders in archive folders
and directly to archive folders.
It replaces "Extract archives to subfolders" option and available
only if multiple archives are selected.
4. New -ad2 switch places extracted files directly to archive's own folder.
Unlike -ad1, it does not create a separate subfolder for each unpacked
archive.
5. "Additional switches" option in "Options" page of archiving
and extraction dialogs allows to specify WinRAR command line switches.
It might be useful if there is no option in WinRAR graphical interface
matching a switch.
Use this feature only if you are familiar with WinRAR command line
syntax and clearly understand what specified switches are intended for.
6. Compression parameters in "Benchmark" command are changed to
32 MB dictionary and "Normal" method. They match RAR5 default mode
and more suitable to estimate the typical performance of recent
WinRAR versions than former 4 MB "Best" intended for RAR4 format.
Latest "Benchmark" results cannot be compared with previous versions
directly. New parameters set produces different values, likely lower
because of eight times larger dictionary size.
7. When unpacking a part of files from solid volume set,
WinRAR attempts to skip volumes in the beginning and
URLs
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
Family
revengerat
Botnet
Guest
C2
127.0.0.1:333
127.0.0.1:1498
Mutex
RV_MUTEX
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
RevengeRat Executable 10 IoCs
-
XMRig Miner payload 7 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 12 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\hood fighting.lua"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a23a4f50,0x7ff8a23a4f60,0x7ff8a23a4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4636 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4568 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3256 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2128 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Revenge-RAT v0.3.zip"2⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Revenge-RAT v0.3.zip"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=996 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6220 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6784 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,10636129226229409725,6748091392668984529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\Client.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\Client.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\Client.exe"3⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\Client.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ded.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\ded.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\ded.exe"3⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\ded.exe3⤵
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_1251348614\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_1251348614\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={06c73154-b726-4f06-8c90-269af94ddb97} --system2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Client.exe"C:\Users\Admin\Downloads\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\15j1yif4\15j1yif4.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc608248644E4A49DBA4AF41EFD2AA83B2.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0out3dgm\0out3dgm.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E3B3544CCCF49EFB94111AEC133F684.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mbeffeec\mbeffeec.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9345.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16D095BF145F419F92243F967C673E9.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjtrp1g4\yjtrp1g4.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CC176BC66FF46868BBA19261ED8D8.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuhjkiyf\nuhjkiyf.cmdline"4⤵
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x49c 0x4381⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 2324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2808 -ip 28081⤵
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 2083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3796 -ip 37961⤵
-
C:\Users\Admin\Downloads\Client.exe"C:\Users\Admin\Downloads\Client.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\AssertRevoke.rarFilesize
316KB
MD544f2d77806b79baa293b0b5110a9bcd2
SHA1600d37e26d8d2b65b5caccc73f5c7a4b36bbbf08
SHA2564cd262630463dd70d37da96d59fb7d768f35cfe08dcb7d655977592d1da9fd5f
SHA5121aa200a4a31261a717d4e4224e00dbbe92904057693731522f207d4e2440f35bb584fe07668d272c8e68fbaafda1a127c7931ffd1a27d275d82e5882fc01400c
-
C:\Users\Admin\Desktop\BlockDismount.htaFilesize
258KB
MD5f3b4ac5c275e6acb75266faf54ca4d01
SHA1145db6de5b40eb82239b48403b4c491a5108c7c4
SHA256497e20129822cef3c92163cd9d551d534393f140cdc79090966b4bc4eb812625
SHA51263075bffd2ff4d6033e80e0206621ee9dfd263a329f0ec170eae3aba0a2d095eaee0033b099c774f8e77b452efa4dfa241159fe21df6dbaaa07804b7bc7ed340
-
C:\Users\Admin\Desktop\CloseAdd.wmFilesize
301KB
MD555d368d6495a9fd9e2701ab302691da0
SHA18e4bdf5d6ede6a8ab6a1c2f340197728c1c3a6da
SHA2565084c7d9b3fb7e1e39abd769c5aacd5dade3437d6d1e5a01d9856da1087bb8dd
SHA512327ac88376710251cb2a74e5385c1d78eb17193a904e3795b3b969afe3ecc027d882a9d2e7df81400f583a4a981923bb9c297f632752d0d28847be1f6afe9a52
-
C:\Users\Admin\Desktop\CompleteConvert.wmFilesize
272KB
MD505475ed4be6baccba1f355e615d99f80
SHA155ff2cb12a8a4ab5f0c74b3454aac7d4cfb4fb18
SHA2561a4c41ac6bf3781a0c4c05162193213ed73651c09a21d70142fff0f598deacb9
SHA512e0af57110ea804647a79c59b883e34828e06de8131a90c163223fcde8f96ca6f6d1f2ef6d39b0a63aef6b9e53115d302714a350309d8fb0451c9149b60690aec
-
C:\Users\Admin\Desktop\DenyConnect.mhtFilesize
229KB
MD5c76cefba07a0b4f49b770a1ff7892925
SHA149ac022db973a1b1a99ba26ca38f764c3af60f34
SHA256e61de51626bd90acbf9828825998ad19e7706eb3203c8d4fd02839523b7f4712
SHA51297b9caee34828f5e2fd076b9fa558e5d8e3f8951b283d3a0a5954895bce8447311cc4b7610911e4a35f89ddcfdfb63d59d5d2ce6e3f073e4c029eb2d1562dd8b
-
C:\Users\Admin\Desktop\DenyFind.pubFilesize
431KB
MD5e2b6300444091aab211aa689c41973d0
SHA13d5da54db1beb6f4fadc8528b972da91b1f66997
SHA25656ec13bdf18b56d98ee3f5220fcecedf93a586919dbe15c4512c1423f5bd1e12
SHA5129c9f7fa02d46931e052240502ee78213f2398933bcff04ba2efd1ea98fc50d6fde1095ad8e394a724b59c27f316304938d09e234454b7aa7ad82ccc19567742f
-
C:\Users\Admin\Desktop\DismountFormat.bmpFilesize
201KB
MD5da974c4b6e57783b076367e7d4ffd548
SHA1f6cc481c62b5a655cffbb192e3ad2665818a7383
SHA256a5bcae66ba4638b6bc5f6c22c655baac7822c22440b30e5b5ff9c3c20cb1eebe
SHA5121ab68a24df7bbcb602edafe055f57e4791ee033b17f714726ceffb4e7d7cb6a6dceb8028fe9e402ecf2f83255903a952fa0d7a21c2b394b3d6fdbb09b46c6851
-
C:\Users\Admin\Desktop\ExitUnblock.docxFilesize
459KB
MD5ade196a42b39cc890e53173728a49790
SHA175718db69f8b5d32a854f57c39ec77e79a910aeb
SHA256a80851d20f8cc033f7e54d73e4d55b0b82d197e296002e75ff13e220f1292a90
SHA512c529f644858362b9fa31ca0103535150c738c4c4a70c2c651795917ba3fbfd933182b67e7c322c8930a8459fb163175dd58ae3aad10c6fe7c2e9d29c2b52648d
-
C:\Users\Admin\Desktop\ImportRevoke.vswFilesize
790KB
MD59b1da85dcc24cb63bc108ecd7c938f0d
SHA15b77a7cd7a09738d7b7152a71c4afb96c5700c3b
SHA2567fbdd01f124bffa2de6e3cd2373807f2a05cb9b83921a21aa6e6978163d87be0
SHA51281e54a9662049f3545f1fe2ae7f99360421f0773b212c911333745db04efb8fcd5ba795206b57dc0c4225dc7bce94d42d6aeffefcb47a554f188ad66b61a3e71
-
C:\Users\Admin\Desktop\InstallDisable.xltmFilesize
373KB
MD50441bb684e38465c635d4f395d783fef
SHA1024f847f30cacfec01a17b5a73367de24f1df5fa
SHA2565897edbfc7e880caff7ca99952c69eb61cacc56bb53f48ce6400c041662ccf50
SHA51281220c272fb40196721de1b8ddf521af383ef0e3551f327f8b1aebd98d7df8af6817c09787e7513089ed0fdfc3599e5945ad7f393f41be47911d1aa83bb49573
-
C:\Users\Admin\Desktop\MergeSwitch.dxfFilesize
445KB
MD5b664f62abde4947cd74d2ffed96ad39e
SHA17dcf45753ce5604780caaf01e348c16d813b3435
SHA256ecbcf9b365a1e81f5035fabe70e474ffa5541d3d70da414d68481eeb6e4f82bb
SHA512dfc0fe68dad9b1064f5ad802a4cd1de85cc0a55728637c22089b028836154323870d04c5950f4208f134a65a67b4c8cb85d15681d3b43d376a38268b365d1909
-
C:\Users\Admin\Desktop\NewClose.ex_Filesize
574KB
MD5bcf0a9edcc3daaeb5da4462d57ad3ec4
SHA1262ec286457aec2389223cdbcc00d62fb9b57b76
SHA256d16dc9c885a7f3d3598ade19a23b1b664a353283414034edc36eaf4340351217
SHA512b42e462b22f07fb55bdd6b2c9aa890f382292aca06a5a9964561523f1241deb7aaab813fdbd74fc78d4c819b842079a04e57a152dfffaf431de50aab6259682e
-
C:\Users\Admin\Desktop\OpenAdd.sysFilesize
416KB
MD58096a5c81f2af1a04241948dfc3c7c1c
SHA13649cc88eaddfe117b3dfb99e756f5593cbc2697
SHA2564331781f234274798e53f2943660ae281906c5559568a86af62c7a43e7c7ac6d
SHA512d784c8900c560fd10dc6618785e34f127f8fe64b1d94624d64d95ee28829652140d5180e21162bcca9bd5b6613dc8f42ecba87122b1274b6198b28a90613b10c
-
C:\Users\Admin\Desktop\OpenWrite.otfFilesize
215KB
MD5904763a275d490b14c56c48d02a70bac
SHA1cd60728eed30472b527d9fa07914c9ef36c2d7e0
SHA2563dd0c6ac665a9b2f48aa988c34c122a785e02e23296e96bacff90d5167b3a3be
SHA51266c42054982da77b9e67d8d282e3f3c1ec496ed7f111ecf51ba65c5f599a31470e6514b5958b91374ebd62c670ec90753d1c0ac8f87576f0d0dbc76cd6288c88
-
C:\Users\Admin\Desktop\PublishRestart.jpegFilesize
517KB
MD592055f24852802e61080e6834dd51c02
SHA19a365237d4e6e5dfd4c7ebf9cf81f9ab728a5291
SHA256b16dcb320e785cd3cfcd3c6e91e65fc818b4deedf34a04fc0b6a634db0617ba3
SHA51234a892640e896fb7030821115d63d802b9ae67da80792d1f221f1e03abe4c2ff13ec0d2ad287546f1dcde7507350c3b32b94b117096e73d3fa40d1238d97bee8
-
C:\Users\Admin\Desktop\ReadRevoke.ps1xmlFilesize
531KB
MD5ffe5d42c66590631766eb17e0a930a44
SHA12a4500e3712b7d9811fa178af31dd10590219831
SHA256ecaafed90a74dd65c6a2c20f06ce6f143eac0d6470701cfda3c3d0f60b993087
SHA512f3cbb6d9c48a662278af5971e60d219b683e25b7435ce73e19fb306db3f6f42a4bee1a28d4724231369c32fc33216d133d3dfe84497cfd755ac7fe42c1f05ad6
-
C:\Users\Admin\Desktop\RepairReceive.isoFilesize
474KB
MD5d4789aa7ac70d3088403daab18f8aee2
SHA1f188e88f7694882d6088dc730cd3bf0f35891d3b
SHA256ab7ce8b0d7cc1075657e47630a5a0458969e291b7058b9e45387c069db7ab7d4
SHA5129159413fd515d2416e1db78e1d8435f10823ba6ecfb65b5c5dd1b00b6cdd4aeffdd7edf94845b35e05626feffa3ff89fb3579211697c6b7e564b0b3830844869
-
C:\Users\Admin\Desktop\RequestConvertFrom.rtfFilesize
344KB
MD5297b7d6852bdf99e742a10319b9bbf3f
SHA1f605654b5bb6de0f551b0d7b95b52c7e6b4de277
SHA2566ed21e4948d23ab7285a6fdb0cecc3d06e8e75951bcf2bd9f8bb26f535508c6a
SHA5128f7b18d57bba025010c2915f1dfb55465c3d4a330bb6c2f4f76864468c95835895cd630966e370a96810280d75720184ad4df8a7e77a59e3b78f74b96d61a763
-
C:\Users\Admin\Desktop\RequestJoin.dotmFilesize
560KB
MD56eaca00fa03928ed5cd847b676ce2007
SHA12ecc5ab90b01e22cb8e9ecaaa43083f9bc67be66
SHA256d4d9ec937f86e05ae7f0c90630330656301f27dda712985564b982493660527d
SHA51297452cac13fde8c66a6630d3400a103e02fe12c46efa2b8c86527f168046f466d97b3e229ff002d300112a704bf6626b83c1f2216a7d4882296e6eedaae367e0
-
C:\Users\Admin\Desktop\RequestRename.xlsbFilesize
359KB
MD5316865a1417f324f6c78dcb80883b681
SHA13dd472a62c6134e22bf1d5f736f0aa8c6846435f
SHA256feb224657cdf1ae3a7d0d565370e155d7b0ef9b3abd697cb1536af2d05af0fec
SHA51294268f48ae3f9d4e45211cf525e1fe1475255d4bdaf60e9815e4802515f9e4a1590f40be070fb5fcf470e69ec734dbe8dd7cfb6afa5315a6725bb915d20b853c
-
C:\Users\Admin\Desktop\ResumeReceive.xltxFilesize
502KB
MD553c3d6cd0fcdede6404cf6fd5a6e7670
SHA1d6687818adb9652c7a6b7f03e3bd85c0d6059cd1
SHA2561d1a2ccf6300b10ec05fde34e41eccea10af71f239a133e4bdaebfe4cb0ad970
SHA512093f2a8f06cffa260941b7504bdfe297340c454a280e17e70ceaa418818f9a72cc96d536f1b2f5a82e4a02f0c0c04387335c548b6c92c9a0def41929a05189c0
-
C:\Users\Admin\Desktop\SendGet.xltFilesize
330KB
MD5c183fe8403b3da673d96956731e37e3f
SHA12cbe41cd2c41203ec093114b181191b1ca3d7c21
SHA256d38b6d25810276b8faf39e0f24f99d19d1bc07dd0816bf5ddba523b391c7b0f6
SHA5125d378b3194070140d5517ccbd774be3d1023f63ba52605d0c294b337dfab5d508ec207903390e78ef1eea2571525300155014faa1340e5553b197697ede44577
-
C:\Users\Admin\Desktop\ShowPublish.ps1Filesize
287KB
MD55a6833479406b012aac242001b921f39
SHA10ae4406c3e09407937f4a7560fe51e2ec142f587
SHA2565b6685853a0247a706dad9bd2f344ec1def3d317c142162fa879422c3559804d
SHA51279baec1cc3cdd6136f36a318e4ea283793f83b1927e2590f25f7ff08f6a20b019909f746cbd6161abe75869c9c8489ccd15375ed8d2828333ab8d73beed5b734
-
C:\Users\Admin\Desktop\SplitConfirm.pptFilesize
488KB
MD58346ab77dafc755678c34fcbb035fd53
SHA11caa27ebee047389c7631ad8816d02f4dee23e1d
SHA256653a43f9ebb41a0aafa1cfbd59e9135967c2e30fcaca61680310600362d65464
SHA5121d7dfba3c5915af198cc927761651e3982bf6d1b1b7f9f09b38b3df11b06ed2af11d2ecc6b3d16731d43541a9ecb569046b855309ca74e4a22be480dc9723d29
-
C:\Users\Admin\Desktop\SyncConvertFrom.rarFilesize
545KB
MD515a0a043eb746b7dad81d733b96cfb01
SHA11ba46c1437b3451894c406cbb168f78fa8bfcea1
SHA2568de8d157586aa819bdab2a0842d2d480119b32e1201286cb1ce2e899b07185fc
SHA5126d9a65c6d9493f7b510303921b86f6d6fb67a26921dac6d9d4c9d9a2fe8cb86e492d04e685b80c2a6a9b7c4b2a6422e9122fe722c674d3971dbf95a384762e55
-
C:\Users\Admin\Desktop\UnlockConnect.kixFilesize
387KB
MD5cce019412d0ec7222a3d8ab24fde58c6
SHA1800bb12b934c8d28f55efdd00dc20090fef00fea
SHA25630b925ea16c77f43b4169dd64b663201b639e7cc070eec188b8b645d389eebcd
SHA51251ac8f6adf704ed67c8ff3669dbfe331e93f10891fe08f24b018bf29be5d06996f101136cfef6be42091709a7d5ab69a97a5caaa49355451b0fbc81db5f67d01
-
C:\Users\Admin\Desktop\UnlockEnable.docxFilesize
244KB
MD5bd8ee77240dfd9b414ed5f6a466a8a6c
SHA124d84aca77c943b10fa32e20ae4401d2497fcd51
SHA256ad3342c03df3f73f3d6acbb074cfaa11d3e909b1c5f4bcf07737971d04a0f0ec
SHA512d2038985e71ba90ecf963e5293a4c1fd337bbfb7f98643a8034a018e7d522a2f522da9871b6ee61f04a10d26776bafad29af1a43839f3a37e299255a1e5a6986
-
C:\Users\Admin\Desktop\WaitResolve.sndFilesize
402KB
MD53c9ac23ffea6683355bd87aa82931b92
SHA1bb1593626f0a098d2b2d991236a2fd160838ba94
SHA25669c668dadbf418558050cd09242675cf0fe1ef5577e55c1983edd357d0074e19
SHA51208038fd9869cd703c77bc70efa1d88d23a8a74ed53fb844c61b018e2b4e1fc865e4bd87d4c40965667b09f0936e688b928b813c84493b31bc4323f9727ea8133
-
\??\pipe\crashpad_4436_VXXQSNUGVDLFAITVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-165-0x0000000000000000-mapping.dmp
-
memory/492-164-0x0000000000000000-mapping.dmp
-
memory/960-181-0x0000000000000000-mapping.dmp
-
memory/1188-169-0x0000000000000000-mapping.dmp
-
memory/1188-205-0x0000000000000000-mapping.dmp
-
memory/1188-206-0x00007FF889160000-0x00007FF889B96000-memory.dmpFilesize
10.2MB
-
memory/1304-170-0x0000000000000000-mapping.dmp
-
memory/1360-173-0x0000000000000000-mapping.dmp
-
memory/1440-179-0x0000000000000000-mapping.dmp
-
memory/1684-186-0x0000000000000000-mapping.dmp
-
memory/1732-240-0x0000000000000000-mapping.dmp
-
memory/1776-208-0x000000000041CF6E-mapping.dmp
-
memory/1776-217-0x0000000005E20000-0x0000000005EB2000-memory.dmpFilesize
584KB
-
memory/1776-209-0x0000000000580000-0x00000000005A0000-memory.dmpFilesize
128KB
-
memory/1776-210-0x0000000004A10000-0x0000000004AAC000-memory.dmpFilesize
624KB
-
memory/1776-211-0x0000000005140000-0x00000000056E4000-memory.dmpFilesize
5.6MB
-
memory/1776-212-0x0000000004B90000-0x0000000004BF6000-memory.dmpFilesize
408KB
-
memory/1816-171-0x0000000000000000-mapping.dmp
-
memory/1872-263-0x0000000000000000-mapping.dmp
-
memory/1872-267-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1872-270-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/1872-272-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/1872-273-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/1988-176-0x0000000000000000-mapping.dmp
-
memory/2004-220-0x0000000000000000-mapping.dmp
-
memory/2092-200-0x0000000000000000-mapping.dmp
-
memory/2092-203-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/2092-202-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/2092-201-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/2240-269-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2240-268-0x0000000000000000-mapping.dmp
-
memory/2240-271-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/2292-187-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-194-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-189-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-185-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-182-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-183-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-184-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2292-190-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2356-221-0x0000000000000000-mapping.dmp
-
memory/2436-236-0x0000000000000000-mapping.dmp
-
memory/2452-260-0x000000000041CF6E-mapping.dmp
-
memory/2564-161-0x0000000000000000-mapping.dmp
-
memory/2644-227-0x0000000000000000-mapping.dmp
-
memory/2808-249-0x0000000000540000-0x0000000000556000-memory.dmpFilesize
88KB
-
memory/2808-247-0x0000000000540000-0x0000000000556000-memory.dmpFilesize
88KB
-
memory/2808-242-0x0000000000000000-mapping.dmp
-
memory/2808-244-0x0000000000540000-0x0000000000556000-memory.dmpFilesize
88KB
-
memory/2848-177-0x0000000000000000-mapping.dmp
-
memory/2944-223-0x0000000000000000-mapping.dmp
-
memory/2972-232-0x0000000000000000-mapping.dmp
-
memory/2988-229-0x00007FF889160000-0x00007FF889B96000-memory.dmpFilesize
10.2MB
-
memory/2988-228-0x0000000000000000-mapping.dmp
-
memory/2988-188-0x0000000000000000-mapping.dmp
-
memory/3096-175-0x0000000000000000-mapping.dmp
-
memory/3104-197-0x00000296D7A10000-0x00000296D7ACD000-memory.dmpFilesize
756KB
-
memory/3104-196-0x00000296D7A10000-0x00000296D7ACD000-memory.dmpFilesize
756KB
-
memory/3104-192-0x00000296D6920000-0x00000296D76E4000-memory.dmpFilesize
13.8MB
-
memory/3104-193-0x00007FF89C6D0000-0x00007FF89D191000-memory.dmpFilesize
10.8MB
-
memory/3104-218-0x00000296F13C0000-0x00000296F13D2000-memory.dmpFilesize
72KB
-
memory/3104-195-0x00007FF89C6D0000-0x00007FF89D191000-memory.dmpFilesize
10.8MB
-
memory/3104-216-0x00000296F4E20000-0x00000296F4E36000-memory.dmpFilesize
88KB
-
memory/3104-191-0x0000000000000000-mapping.dmp
-
memory/3112-258-0x00007FF887510000-0x00007FF887F46000-memory.dmpFilesize
10.2MB
-
memory/3344-245-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/3344-241-0x0000000000000000-mapping.dmp
-
memory/3384-180-0x0000000000000000-mapping.dmp
-
memory/3648-172-0x0000000000000000-mapping.dmp
-
memory/3796-250-0x0000000000000000-mapping.dmp
-
memory/3796-257-0x0000000000790000-0x00000000007A6000-memory.dmpFilesize
88KB
-
memory/3796-255-0x0000000000790000-0x00000000007A6000-memory.dmpFilesize
88KB
-
memory/3936-224-0x0000000000000000-mapping.dmp
-
memory/3960-174-0x0000000000000000-mapping.dmp
-
memory/3960-225-0x0000000000000000-mapping.dmp
-
memory/4160-163-0x0000000000000000-mapping.dmp
-
memory/4176-219-0x0000000000000000-mapping.dmp
-
memory/4200-215-0x0000000005A50000-0x0000000005F7C000-memory.dmpFilesize
5.2MB
-
memory/4200-213-0x0000000000000000-mapping.dmp
-
memory/4200-214-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4588-204-0x0000000000000000-mapping.dmp
-
memory/4644-239-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/4644-238-0x00000000748A0000-0x0000000074E51000-memory.dmpFilesize
5.7MB
-
memory/4644-237-0x0000000000000000-mapping.dmp
-
memory/4672-261-0x0000000000000000-mapping.dmp
-
memory/4740-254-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/4752-235-0x000001C9CE040000-0x000001C9CE050000-memory.dmpFilesize
64KB
-
memory/4752-234-0x000001C9CDF40000-0x000001C9CDF50000-memory.dmpFilesize
64KB
-
memory/4756-222-0x0000000000000000-mapping.dmp
-
memory/4800-231-0x000000000041CF6E-mapping.dmp
-
memory/4856-199-0x0000000000000000-mapping.dmp
-
memory/4904-178-0x0000000000000000-mapping.dmp
-
memory/4936-226-0x0000000000000000-mapping.dmp
-
memory/4984-198-0x0000000000000000-mapping.dmp
-
memory/5060-266-0x0000000074940000-0x0000000074EF1000-memory.dmpFilesize
5.7MB
-
memory/5092-168-0x0000000000000000-mapping.dmp
