Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-01-2023 05:35
Static task
static1
Behavioral task
behavioral1
Sample
hitho.lua
Resource
win10v2004-20220812-en
General
-
Target
hitho.lua
-
Size
134B
-
MD5
ddfdcc11a3e4a5dd265442a5bcea9fcf
-
SHA1
a98cf41fb793d5c23bef6baac5c5848233c6ff41
-
SHA256
8a8762536fbbd093b02ed8e6d698b8831575206d3d2f0b9d4a06a770ff95785f
-
SHA512
25baa3074642a5f45760a905e238b3882debc856d9c84701930f4b6ed5d105e983bec3a3dfed0de6c8b6b5b901f575cbccf8fe3debc8f970acc8ff70371d6c02
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
-n@inclist.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
revengerat
Guest
127.0.0.1:9551
RV_MUTEX-uawrHJfWfhaR
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 12 IoCs
Processes:
resource yara_rule behavioral1/memory/3724-199-0x0000000000400000-0x0000000000416000-memory.dmp revengerat behavioral1/memory/3724-201-0x0000000000400000-0x0000000000416000-memory.dmp revengerat behavioral1/memory/2100-276-0x0000000000400000-0x000000000040C000-memory.dmp revengerat behavioral1/memory/2100-277-0x0000000000407E4E-mapping.dmp revengerat behavioral1/memory/1408-287-0x0000000000407E4E-mapping.dmp revengerat behavioral1/memory/4616-296-0x0000000000407E4E-mapping.dmp revengerat behavioral1/memory/4468-305-0x0000000000407E4E-mapping.dmp revengerat behavioral1/memory/4616-324-0x0000000000400000-0x000000000040C000-memory.dmp revengerat behavioral1/memory/208-335-0x0000000000400000-0x0000000000418000-memory.dmp revengerat behavioral1/memory/208-337-0x0000000000400000-0x0000000000418000-memory.dmp revengerat behavioral1/memory/4540-354-0x0000000000590000-0x00000000005A8000-memory.dmp revengerat behavioral1/memory/4540-357-0x0000000000590000-0x00000000005A8000-memory.dmp revengerat -
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/4584-174-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-175-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-176-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-178-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-179-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-180-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4584-184-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 39 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeChromeRecovery.exeRevenge-RAT v0.3x.exeTiWorker.exeRevenge-RAT v0.3.exedotNET_Reactor.exeRevenge-RAT v0.3.exeClient.exeClient.exeClient.exeClient.exempress.exedotNET_Reactor.exeded.exeded.exeded.exeGoRC.exeResource Hacker.exeddddd‮4PM..exeddddd‮4PM..exeddddd‮4PM..exeddddd‮4PM..exeClient.exeGoRC.exeResource Hacker.exeew‮4PM..exeGoRC.exeResource Hacker.exebru‮4PM..exeClient.exeClient.exeGoRC.exeResource Hacker.exedotNET_Reactor.exewwww.exewwww.exeClient.exepid process 1396 winrar-x64-611.exe 1956 uninstall.exe 2988 WinRAR.exe 4756 ChromeRecovery.exe 2064 Revenge-RAT v0.3x.exe 4584 TiWorker.exe 1964 Revenge-RAT v0.3.exe 1372 dotNET_Reactor.exe 4012 Revenge-RAT v0.3.exe 1480 Client.exe 4072 Client.exe 5008 Client.exe 4416 Client.exe 5060 mpress.exe 2704 dotNET_Reactor.exe 4944 ded.exe 4992 ded.exe 4788 ded.exe 2284 GoRC.exe 212 Resource Hacker.exe 4640 ddddd‮4PM..exe 544 ddddd‮4PM..exe 4916 ddddd‮4PM..exe 4072 ddddd‮4PM..exe 180 Client.exe 3796 GoRC.exe 3196 Resource Hacker.exe 4772 ew‮4PM..exe 64 GoRC.exe 4508 Resource Hacker.exe 3636 bru‮4PM..exe 1160 Client.exe 2488 Client.exe 2392 GoRC.exe 1492 Resource Hacker.exe 3136 dotNET_Reactor.exe 3140 wwww.exe 1496 wwww.exe 3568 Client.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-611.exeRevenge-RAT v0.3x.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exebru‮4PM..exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Revenge-RAT v0.3x.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Revenge-RAT v0.3.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Revenge-RAT v0.3.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation bru‮4PM..exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Client.exe -
Loads dropped DLL 9 IoCs
Processes:
aspnet_compiler.exeaspnet_compiler.exeexplorer.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exeClient.exeaspnet_compiler.exepid process 3004 3724 aspnet_compiler.exe 4480 aspnet_compiler.exe 1880 explorer.exe 2100 aspnet_compiler.exe 1408 aspnet_compiler.exe 4616 aspnet_compiler.exe 1160 Client.exe 208 aspnet_compiler.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe autoit_exe C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe autoit_exe -
Drops file in System32 directory 8 IoCs
Processes:
Revenge-RAT v0.3x.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\MicrosoftWindows.xml Revenge-RAT v0.3x.exe File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml Revenge-RAT v0.3x.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{18ECAF48-72A2-4689-BE77-3D0AF5D09AB5}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{02E79545-05FB-447D-B7D5-5243C80E347B}.catalogItem svchost.exe File created C:\Windows\SysWOW64\TiWorker.exe Revenge-RAT v0.3x.exe File opened for modification C:\Windows\SysWOW64\TiWorker.exe Revenge-RAT v0.3x.exe File created C:\Windows\SysWOW64\config.json Revenge-RAT v0.3x.exe File opened for modification C:\Windows\SysWOW64\config.json Revenge-RAT v0.3x.exe -
Suspicious use of SetThreadContext 25 IoCs
Processes:
Client.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeClient.exeaspnet_compiler.exeew‮4PM..exeaspnet_compiler.exewwww.exeaspnet_compiler.exewwww.exeaspnet_compiler.exeClient.exedescription pid process target process PID 1480 set thread context of 3724 1480 Client.exe aspnet_compiler.exe PID 3724 set thread context of 2424 3724 aspnet_compiler.exe aspnet_compiler.exe PID 4072 set thread context of 4480 4072 Client.exe aspnet_compiler.exe PID 4480 set thread context of 1300 4480 aspnet_compiler.exe aspnet_compiler.exe PID 5008 set thread context of 4936 5008 Client.exe aspnet_compiler.exe PID 4936 set thread context of 4508 4936 aspnet_compiler.exe aspnet_compiler.exe PID 4416 set thread context of 2096 4416 Client.exe aspnet_compiler.exe PID 2096 set thread context of 3412 2096 aspnet_compiler.exe aspnet_compiler.exe PID 4640 set thread context of 2100 4640 ddddd‮4PM..exe aspnet_compiler.exe PID 2100 set thread context of 1572 2100 aspnet_compiler.exe aspnet_compiler.exe PID 544 set thread context of 1408 544 ddddd‮4PM..exe aspnet_compiler.exe PID 1408 set thread context of 460 1408 aspnet_compiler.exe aspnet_compiler.exe PID 4916 set thread context of 4616 4916 ddddd‮4PM..exe aspnet_compiler.exe PID 4616 set thread context of 4036 4616 aspnet_compiler.exe aspnet_compiler.exe PID 4072 set thread context of 4468 4072 ddddd‮4PM..exe aspnet_compiler.exe PID 4468 set thread context of 4464 4468 aspnet_compiler.exe aspnet_compiler.exe PID 180 set thread context of 1880 180 Client.exe aspnet_compiler.exe PID 1880 set thread context of 1556 1880 aspnet_compiler.exe aspnet_compiler.exe PID 4772 set thread context of 4616 4772 ew‮4PM..exe aspnet_compiler.exe PID 4616 set thread context of 3136 4616 aspnet_compiler.exe aspnet_compiler.exe PID 3140 set thread context of 208 3140 wwww.exe aspnet_compiler.exe PID 208 set thread context of 2964 208 aspnet_compiler.exe aspnet_compiler.exe PID 1496 set thread context of 456 1496 wwww.exe aspnet_compiler.exe PID 456 set thread context of 1408 456 aspnet_compiler.exe aspnet_compiler.exe PID 3568 set thread context of 4540 3568 Client.exe aspnet_compiler.exe -
Drops file in Program Files directory 64 IoCs
Processes:
uninstall.exewinrar-x64-611.exeelevation_service.exedescription ioc process File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240615937 winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3224 4540 WerFault.exe aspnet_compiler.exe 3576 4540 WerFault.exe aspnet_compiler.exe -
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aspnet_compiler.exebru‮4PM..exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeClient.exeClient.exesvchost.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 bru‮4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bru‮4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 aspnet_compiler.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
dw20.exechrome.exesvchost.exedw20.exedw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Processes:
explorer.exeexplorer.exeexplorer.exeWinRAR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
Revenge-RAT v0.3.exeexplorer.exeexplorer.exeexplorer.exeuninstall.exeRevenge-RAT v0.3.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeaspnet_compiler.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Revenge-RAT v0.3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Revenge-RAT v0.3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" Revenge-RAT v0.3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uu uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Revenge-RAT v0.3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r08 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads" Revenge-RAT v0.3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 Revenge-RAT v0.3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Revenge-RAT v0.3.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Revenge-RAT v0.3.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r16 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Revenge-RAT v0.3.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Client.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Revenge-RAT v0.3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ aspnet_compiler.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Revenge-RAT v0.3.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 Revenge-RAT v0.3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Revenge-RAT v0.3.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ aspnet_compiler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Revenge-RAT v0.3.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Revenge-RAT v0.3.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exepid process 3636 explorer.exe 1880 explorer.exe 5040 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeRevenge-RAT v0.3x.exechrome.exetaskmgr.exesdiagnhost.exetaskmgr.exepid process 400 chrome.exe 400 chrome.exe 2204 chrome.exe 2204 chrome.exe 4044 chrome.exe 4044 chrome.exe 1588 chrome.exe 1588 chrome.exe 1432 chrome.exe 1432 chrome.exe 4856 chrome.exe 4856 chrome.exe 2288 chrome.exe 2288 chrome.exe 3520 chrome.exe 3520 chrome.exe 1588 chrome.exe 1588 chrome.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2064 Revenge-RAT v0.3x.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3112 sdiagnhost.exe 3692 taskmgr.exe 3692 taskmgr.exe 3692 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
WinRAR.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exeexplorer.exetaskmgr.exetaskmgr.exepid process 2988 WinRAR.exe 1964 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 1880 explorer.exe 2416 taskmgr.exe 3480 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exepid process 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
TiWorker.exeRevenge-RAT v0.3.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exetaskmgr.exedw20.exedw20.exedw20.exesdiagnhost.exetaskmgr.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeClient.exeaspnet_compiler.exetaskmgr.exeew‮4PM..exeaspnet_compiler.exebru‮4PM..exetaskmgr.exeClient.exeClient.exewwww.exeaspnet_compiler.exetaskmgr.exewwww.exeaspnet_compiler.exeClient.exedescription pid process Token: SeLockMemoryPrivilege 4584 TiWorker.exe Token: SeDebugPrivilege 1964 Revenge-RAT v0.3.exe Token: SeDebugPrivilege 1480 Client.exe Token: SeDebugPrivilege 3724 aspnet_compiler.exe Token: SeDebugPrivilege 4072 Client.exe Token: SeDebugPrivilege 4480 aspnet_compiler.exe Token: SeDebugPrivilege 5008 Client.exe Token: SeDebugPrivilege 4936 aspnet_compiler.exe Token: SeDebugPrivilege 4416 Client.exe Token: SeDebugPrivilege 2096 aspnet_compiler.exe Token: SeDebugPrivilege 3596 taskmgr.exe Token: SeSystemProfilePrivilege 3596 taskmgr.exe Token: SeCreateGlobalPrivilege 3596 taskmgr.exe Token: 33 3596 taskmgr.exe Token: SeIncBasePriorityPrivilege 3596 taskmgr.exe Token: SeBackupPrivilege 4220 dw20.exe Token: SeBackupPrivilege 4220 dw20.exe Token: SeBackupPrivilege 4416 dw20.exe Token: SeBackupPrivilege 4416 dw20.exe Token: SeBackupPrivilege 3484 dw20.exe Token: SeBackupPrivilege 3484 dw20.exe Token: SeDebugPrivilege 3112 sdiagnhost.exe Token: SeDebugPrivilege 3692 taskmgr.exe Token: SeSystemProfilePrivilege 3692 taskmgr.exe Token: SeCreateGlobalPrivilege 3692 taskmgr.exe Token: 33 3692 taskmgr.exe Token: SeIncBasePriorityPrivilege 3692 taskmgr.exe Token: SeDebugPrivilege 4640 ddddd‮4PM..exe Token: SeDebugPrivilege 2100 aspnet_compiler.exe Token: SeDebugPrivilege 544 ddddd‮4PM..exe Token: SeDebugPrivilege 1408 aspnet_compiler.exe Token: SeDebugPrivilege 4916 ddddd‮4PM..exe Token: SeDebugPrivilege 4616 aspnet_compiler.exe Token: SeDebugPrivilege 4072 ddddd‮4PM..exe Token: SeDebugPrivilege 4468 aspnet_compiler.exe Token: SeDebugPrivilege 180 Client.exe Token: SeDebugPrivilege 1880 aspnet_compiler.exe Token: SeDebugPrivilege 2416 taskmgr.exe Token: SeSystemProfilePrivilege 2416 taskmgr.exe Token: SeCreateGlobalPrivilege 2416 taskmgr.exe Token: SeDebugPrivilege 4772 ew‮4PM..exe Token: SeDebugPrivilege 4616 aspnet_compiler.exe Token: 33 2416 taskmgr.exe Token: SeIncBasePriorityPrivilege 2416 taskmgr.exe Token: SeDebugPrivilege 3636 bru‮4PM..exe Token: SeDebugPrivilege 4388 taskmgr.exe Token: SeSystemProfilePrivilege 4388 taskmgr.exe Token: SeCreateGlobalPrivilege 4388 taskmgr.exe Token: SeDebugPrivilege 1160 Client.exe Token: SeDebugPrivilege 2488 Client.exe Token: 33 4388 taskmgr.exe Token: SeIncBasePriorityPrivilege 4388 taskmgr.exe Token: SeDebugPrivilege 3140 wwww.exe Token: SeDebugPrivilege 208 aspnet_compiler.exe Token: SeDebugPrivilege 3480 taskmgr.exe Token: SeSystemProfilePrivilege 3480 taskmgr.exe Token: SeCreateGlobalPrivilege 3480 taskmgr.exe Token: SeDebugPrivilege 1496 wwww.exe Token: SeDebugPrivilege 456 aspnet_compiler.exe Token: SeDebugPrivilege 3568 Client.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeWinRAR.exeRevenge-RAT v0.3.exepid process 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 2988 WinRAR.exe 1964 Revenge-RAT v0.3.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exetaskmgr.exepid process 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 1964 Revenge-RAT v0.3.exe 1964 Revenge-RAT v0.3.exe 1964 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe 3596 taskmgr.exe -
Suspicious use of SetWindowsHookEx 38 IoCs
Processes:
OpenWith.exewinrar-x64-611.exeWinRAR.exeRevenge-RAT v0.3x.exeRevenge-RAT v0.3.exeilasm.exeexplorer.exeRevenge-RAT v0.3.exeilasm.exeexplorer.exedw20.exedw20.exedw20.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeexplorer.exepid process 2656 OpenWith.exe 1396 winrar-x64-611.exe 1396 winrar-x64-611.exe 2988 WinRAR.exe 2988 WinRAR.exe 2064 Revenge-RAT v0.3x.exe 1964 Revenge-RAT v0.3.exe 1964 Revenge-RAT v0.3.exe 1964 Revenge-RAT v0.3.exe 804 ilasm.exe 3636 explorer.exe 3636 explorer.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 2808 ilasm.exe 1880 explorer.exe 1880 explorer.exe 4220 dw20.exe 4416 dw20.exe 3484 dw20.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 2220 ilasm.exe 212 Resource Hacker.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 544 ilasm.exe 3196 Resource Hacker.exe 4012 Revenge-RAT v0.3.exe 1568 ilasm.exe 4508 Resource Hacker.exe 4012 Revenge-RAT v0.3.exe 4012 Revenge-RAT v0.3.exe 3928 ilasm.exe 1492 Resource Hacker.exe 5040 explorer.exe 5040 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2204 wrote to memory of 2248 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 2248 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4888 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 400 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 400 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe PID 2204 wrote to memory of 4312 2204 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\hitho.lua1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d814f50,0x7ffd6d814f60,0x7ffd6d814f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1592 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7496 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7792 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Revenge-RAT v0.3.zip"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5276 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1260 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6572 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d7aea397-d806-43ad-9333-de4f9d7335f8} --system2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\Client.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\Client.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\Client.exe"3⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\Client.exe3⤵
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ded.exe" /resource:Extensions\Admin.res4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB256.tmp" "Extensions\Admin.res"5⤵
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\mpress.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\mpress.exe" C:\Users\Admin\Downloads\ded.exe -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\ded.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\ded.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\ded.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ddddd.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exeExtensions\GoRC /r Extensions\Information.rc4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\ddddd.exe,C:\Users\Admin\Downloads\ddddd.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ew.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exeExtensions\GoRC /r Extensions\Information.rc4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\ew.exe,C:\Users\Admin\Downloads\ew.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\bru.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exeExtensions\GoRC /r Extensions\Information.rc4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\bru.exe,C:\Users\Admin\Downloads\bru.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\wwww.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exeExtensions\GoRC /r Extensions\Information.rc4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\wwww.exe,C:\Users\Admin\Downloads\wwww.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\wwww.exe" -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\wwww.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\wwww.exe4⤵
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Client.exe"C:\Users\Admin\Downloads\Client.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\Downloads\Client.exe"C:\Users\Admin\Downloads\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
-
C:\Users\Admin\Downloads\Client.exe"C:\Users\Admin\Downloads\Client.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"6⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"8⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"9⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7803⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7763⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7763⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\ded.exe" ContextMenu2⤵
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW71ED.xml /skip TRUE3⤵
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\ddddd‮4PM..exe"C:\Users\Admin\Downloads\ddddd‮4PM..exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\Downloads\ddddd‮4PM..exe"C:\Users\Admin\Downloads\ddddd‮4PM..exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
-
C:\Users\Admin\Downloads\ddddd‮4PM..exe"C:\Users\Admin\Downloads\ddddd‮4PM..exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"7⤵
-
C:\Users\Admin\Downloads\ddddd‮4PM..exe"C:\Users\Admin\Downloads\ddddd‮4PM..exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"8⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"10⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"11⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\ew‮4PM..exe"C:\Users\Admin\Downloads\ew‮4PM..exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\Downloads\bru‮4PM..exe"C:\Users\Admin\Downloads\bru‮4PM..exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\wwww.exe"C:\Users\Admin\Downloads\wwww.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Users\Admin\Downloads\wwww.exe"C:\Users\Admin\Downloads\wwww.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 2288⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 2328⤵
- Program crash
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 45401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4540 -ip 45401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Program Files\WinRAR\Rar.txtFilesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
C:\Program Files\WinRAR\RarExt.dllFilesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exeFilesize
8.6MB
MD5d1e07bb41ff7de2c390da54e77e7b12f
SHA1086be6814f70e8ec023f9c9572fef6b46fdaf838
SHA256b265ae51d014e34ef1db74dc62530e5d146114a3dd3f8eefd80a7b66794cfd17
SHA5122aa0c7a92b06c477687d3c2fa02b878caf08345c52b51543a429fc8e9d74761bea3d70a0aebc617a04241f8ab85132befb4efb9db8cf054fd273683a05946805
-
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exeFilesize
8.6MB
MD5d1e07bb41ff7de2c390da54e77e7b12f
SHA1086be6814f70e8ec023f9c9572fef6b46fdaf838
SHA256b265ae51d014e34ef1db74dc62530e5d146114a3dd3f8eefd80a7b66794cfd17
SHA5122aa0c7a92b06c477687d3c2fa02b878caf08345c52b51543a429fc8e9d74761bea3d70a0aebc617a04241f8ab85132befb4efb9db8cf054fd273683a05946805
-
C:\Users\Admin\Downloads\Revenge-RAT v0.3.zipFilesize
18.5MB
MD5a284f3db141e523862caab4bbab2ddad
SHA1f9b60df687cb5aa472c476818405a98fb8d59f00
SHA256b0e50a5a8fe0c15dae80c41818571ca1b65a2d6868bfc626865ae673df51df66
SHA512bbcda1e425310bdcabeb126a18ec8a8d958f0f1e7d909f9ff55d3dcaff430f4909de6137f33bafb7b97ba6cd9bbfe236e47ab1bd1299c6cc280fcd50d2674beb
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Windows\SysWOW64\MicrosoftWindows.xmlFilesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
C:\Windows\SysWOW64\TiWorker.exeFilesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
\??\pipe\crashpad_2204_PJBGXOLPCBQTHENMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/180-312-0x0000000000000000-mapping.dmp
-
memory/180-314-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/208-337-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/208-335-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/212-274-0x0000000000000000-mapping.dmp
-
memory/460-289-0x0000000000000000-mapping.dmp
-
memory/460-291-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/544-285-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/544-283-0x0000000000000000-mapping.dmp
-
memory/804-188-0x0000000000000000-mapping.dmp
-
memory/1160-331-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/1300-220-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1300-217-0x0000000000000000-mapping.dmp
-
memory/1372-189-0x0000000000000000-mapping.dmp
-
memory/1372-190-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1372-191-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1396-133-0x0000000000000000-mapping.dmp
-
memory/1408-293-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1408-288-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1408-287-0x0000000000407E4E-mapping.dmp
-
memory/1480-202-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1496-160-0x0000000000000000-mapping.dmp
-
memory/1556-318-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1572-155-0x0000000000000000-mapping.dmp
-
memory/1572-279-0x0000000000000000-mapping.dmp
-
memory/1572-280-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1572-281-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1680-169-0x0000000000000000-mapping.dmp
-
memory/1712-268-0x0000000000000000-mapping.dmp
-
memory/1752-172-0x0000000000000000-mapping.dmp
-
memory/1820-251-0x0000000000000000-mapping.dmp
-
memory/1880-320-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1880-316-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/1956-137-0x0000000000000000-mapping.dmp
-
memory/1964-186-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmpFilesize
24KB
-
memory/1964-187-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmpFilesize
24KB
-
memory/1964-183-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/1964-182-0x000002A7CA500000-0x000002A7CB2C4000-memory.dmpFilesize
13.8MB
-
memory/1964-181-0x0000000000000000-mapping.dmp
-
memory/1964-194-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/1964-185-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/1964-195-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmpFilesize
24KB
-
memory/2040-192-0x0000000000000000-mapping.dmp
-
memory/2080-164-0x0000000000000000-mapping.dmp
-
memory/2096-245-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2096-247-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2096-246-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2096-237-0x0000000000000000-mapping.dmp
-
memory/2100-276-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2100-277-0x0000000000407E4E-mapping.dmp
-
memory/2100-282-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2100-284-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2100-278-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2220-272-0x0000000000000000-mapping.dmp
-
memory/2284-273-0x0000000000000000-mapping.dmp
-
memory/2416-162-0x0000000000000000-mapping.dmp
-
memory/2424-205-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2424-209-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2424-204-0x0000000000000000-mapping.dmp
-
memory/2424-206-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2444-156-0x0000000000000000-mapping.dmp
-
memory/2488-332-0x00007FFD54E20000-0x00007FFD55856000-memory.dmpFilesize
10.2MB
-
memory/2700-161-0x0000000000000000-mapping.dmp
-
memory/2704-256-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2704-254-0x0000000000000000-mapping.dmp
-
memory/2704-255-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/2808-250-0x0000000000000000-mapping.dmp
-
memory/2964-342-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2988-144-0x0000000000000000-mapping.dmp
-
memory/3112-269-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/3112-271-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/3112-270-0x0000015075700000-0x0000015075722000-memory.dmpFilesize
136KB
-
memory/3200-163-0x0000000000000000-mapping.dmp
-
memory/3412-244-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/3412-242-0x0000000000000000-mapping.dmp
-
memory/3476-257-0x0000000000000000-mapping.dmp
-
memory/3484-266-0x0000000000000000-mapping.dmp
-
memory/3636-330-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/3636-177-0x0000000000000000-mapping.dmp
-
memory/3724-199-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3724-198-0x0000000000000000-mapping.dmp
-
memory/3724-203-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/3724-201-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3724-211-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/3724-208-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4012-249-0x0000010FBA3E9000-0x0000010FBA3EF000-memory.dmpFilesize
24KB
-
memory/4012-196-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/4012-311-0x0000010FBE260000-0x0000010FBE2BA000-memory.dmpFilesize
360KB
-
memory/4012-248-0x0000010FBA3E9000-0x0000010FBA3EF000-memory.dmpFilesize
24KB
-
memory/4012-207-0x0000010FBB950000-0x0000010FBB966000-memory.dmpFilesize
88KB
-
memory/4012-321-0x0000010FC0E10000-0x0000010FC0E14000-memory.dmpFilesize
16KB
-
memory/4012-193-0x0000000000000000-mapping.dmp
-
memory/4012-319-0x0000010FC0E10000-0x0000010FC0E14000-memory.dmpFilesize
16KB
-
memory/4012-197-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmpFilesize
10.8MB
-
memory/4036-298-0x0000000000000000-mapping.dmp
-
memory/4036-300-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4072-210-0x0000000000000000-mapping.dmp
-
memory/4072-303-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4072-216-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4072-159-0x0000000000000000-mapping.dmp
-
memory/4072-301-0x0000000000000000-mapping.dmp
-
memory/4188-168-0x0000000000000000-mapping.dmp
-
memory/4220-260-0x0000000000000000-mapping.dmp
-
memory/4256-158-0x0000000000000000-mapping.dmp
-
memory/4348-267-0x0000000000000000-mapping.dmp
-
memory/4416-263-0x0000000000000000-mapping.dmp
-
memory/4416-241-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4416-236-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4416-234-0x0000000000000000-mapping.dmp
-
memory/4464-307-0x0000000000000000-mapping.dmp
-
memory/4464-309-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4468-306-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4468-313-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4468-305-0x0000000000407E4E-mapping.dmp
-
memory/4468-310-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4480-223-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4480-221-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4480-218-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4480-212-0x0000000000000000-mapping.dmp
-
memory/4508-232-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4508-230-0x0000000000000000-mapping.dmp
-
memory/4540-354-0x0000000000590000-0x00000000005A8000-memory.dmpFilesize
96KB
-
memory/4540-349-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4540-357-0x0000000000590000-0x00000000005A8000-memory.dmpFilesize
96KB
-
memory/4584-178-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-176-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-175-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-179-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-180-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-184-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-174-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-173-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4584-171-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4616-296-0x0000000000407E4E-mapping.dmp
-
memory/4616-324-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4616-165-0x0000000000000000-mapping.dmp
-
memory/4616-297-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4616-302-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4640-275-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4756-151-0x0000000000000000-mapping.dmp
-
memory/4772-323-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4788-264-0x0000000000000000-mapping.dmp
-
memory/4788-265-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4916-294-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4916-292-0x0000000000000000-mapping.dmp
-
memory/4936-235-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4936-224-0x0000000000000000-mapping.dmp
-
memory/4936-229-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4936-233-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/4944-259-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/4944-258-0x0000000000000000-mapping.dmp
-
memory/4964-157-0x0000000000000000-mapping.dmp
-
memory/4992-261-0x0000000000000000-mapping.dmp
-
memory/4992-262-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmpFilesize
10.2MB
-
memory/5008-222-0x0000000000000000-mapping.dmp
-
memory/5008-228-0x0000000074900000-0x0000000074EB1000-memory.dmpFilesize
5.7MB
-
memory/5060-252-0x0000000000000000-mapping.dmp
-
memory/5060-253-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/5096-167-0x0000000000000000-mapping.dmp