revengerat | 8a8762536fbbd093b02ed8e6d698b8831575206d3d2f0b9d4a06a770ff95785f

Analysis

max time kernel
1800s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2023 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hitho.lua
Size

134B
MD5

ddfdcc11a3e4a5dd265442a5bcea9fcf
SHA1

a98cf41fb793d5c23bef6baac5c5848233c6ff41
SHA256

8a8762536fbbd093b02ed8e6d698b8831575206d3d2f0b9d4a06a770ff95785f
SHA512

25baa3074642a5f45760a905e238b3882debc856d9c84701930f4b6ed5d105e983bec3a3dfed0de6c8b6b5b901f575cbccf8fe3debc8f970acc8ff70371d6c02

Score

10^/10

revengerat xmrig guest discovery evasion miner persistence ransomware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.11 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations

Emails

-n@inclist.txt

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue. 2. WinRAR uses https instead of http in the web notifier window, home page and themes links. It also implements additional checks within the web notifier. This is done to prevent a malicious web page from executing existing files on a user's computer. Such attack is only possible if the intruder has managed to spoof or otherwise control user's DNS records. Some other factors are also involved in limiting the practical application of this attack. We would like to express our gratitude to Igor Sak-Sakovskiy for bringing this issue to our attention. 3. Where appropriate, SFX archive displays the additional line with detailed error information provided by operating system. For example, previously such archive would display "Cannot create file" message alone. Now this message is followed by a detailed reason like access denied or file being used by another process. In the past this extended error information was available in WinRAR, but not in SFX archives. 4. Switch -idn hides archived names also in 'v' and 'l' commands. It can be useful if only the archive type or total information is needed. 5. If -ibck -ri<priority> switches are used together, WinRAR process sets the priority specified in -ri switch. Previous versions ignored -ri and set the priority to low in the presence of -ibck switch. 6. When using "File/Change drive" command, WinRAR saves the last folder of previous drive and restores it if that drive is selected again later. 7. Name of unpacking file is now included into WinRAR incorrect password warning for RAR5 archives. It can be helpful when unpacking a non-solid archive containing files encrypted with different passwords. 8. Bugs fixed: a) "Convert archives" command issued erroneous "The specified password is incorrect" message after succesfully converting RAR archive with encrypted file names if new password was set and archive was opened in WinRAR shell; b) if command progress window was resized up and then quickly resized down to original dimensions, window contents could be positioned incorrectly. Version 6.01 1. Ctrl+A keyboard shortcut selects the entire text in WinRAR comment window. 2. If -idn switch is used together with -t or -df in console RAR when archiving, it additionally disables "Deleting <filename>" or "Testing <filename>" messages, normally issued by these switches. Also -idn disables folder creation messages when extracting a file to non-existing folder. 3. WinRAR and ZIP SFX module refuse to extract contents of ZIP SFX archives if ZIP central directory is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into signature body. 4. Bugs fixed: a) "Convert archives" command could incorrectly convert Unicode comments in RAR archives. b) if two archive information windows had been opened from Explorer context menu, the compression ratio bar in the first window could erroneously display a value for second archive. It did not affect the ratio and other text details at the right of window. Only the vertical bar at the left could be updated to a wrong value; c) if "Wait if other WinRAR copies are active" option was enabled in extraction dialog, "Waiting for another WinRAR copy" title was not set in command progress window while waiting; d) when extracting a symbolic link, previous versions did not overwrite existing symbolic links even if user requested it in overwrite prompt. Version 6.00 1. "Ignore" and "Ignore All" options are added to read error prompt. "Ignore" allows to continue processing with already read file part only and "Ignore All" does it for all future read errors. For example, if you archive a file, which portion is locked by another process, and if "Ignore" is selected in read error prompt, only a part of file preceding the unreadable region will be saved into archive. It can help to avoid interrupting lengthy archiving operations, though be aware that files archived with "Ignore" are incomplete. If switch -y is specified, "Ignore" is applied to all files by default. Previously available "Retry" and "Quit" options are still present in read error prompt as well. 2. Exit code 12 is returned in the command line mode in case of read errors. This code is returned for all options in the read error prompt, including a newly introduced "Ignore" option. Previously more common fatal error code 2 was returned for read errors. 3. If several archives are selected, "Extract archives to" option group in "Options" page of extraction dialog can be used to place extracted files to specified destination folder, to separate subfolders in destination folder, to separate subfolders in archive folders and directly to archive folders. It replaces "Extract archives to subfolders" option and available only if multiple archives are selected. 4. New -ad2 switch places extracted files directly to archive's own folder. Unlike -ad1, it does not create a separate subfolder for each unpacked archive. 5. "Additional switches" option in "Options" page of archiving and extraction dialogs allows to specify WinRAR command line switches. It might be useful if there is no option in WinRAR graphical interface matching a switch. Use this feature only if you are familiar with WinRAR command line syntax and clearly understand what specified switches are intended for. 6. Compression parameters in "Benchmark" command are changed to 32 MB dictionary and "Normal" method. They match RAR5 default mode and more suitable to estimate the typical performance of recent WinRAR versions than former 4 MB "Best" intended for RAR4 format. Latest "Benchmark" results cannot be compared with previous versions directly. New parameters set produces different values, likely lower because of eight times larger dictionary size. 7. When unpacking a part of files from solid volume set, WinRAR attempts to skip volumes in the beginning and

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:9551

Mutex

RV_MUTEX-uawrHJfWfhaR

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

RevengeRat Executable 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3724-199-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/3724-201-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/2100-276-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/2100-277-0x0000000000407E4E-mapping.dmp	revengerat
behavioral1/memory/1408-287-0x0000000000407E4E-mapping.dmp	revengerat
behavioral1/memory/4616-296-0x0000000000407E4E-mapping.dmp	revengerat
behavioral1/memory/4468-305-0x0000000000407E4E-mapping.dmp	revengerat
behavioral1/memory/4616-324-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/208-335-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/208-337-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/4540-354-0x0000000000590000-0x00000000005A8000-memory.dmp	revengerat
behavioral1/memory/4540-357-0x0000000000590000-0x00000000005A8000-memory.dmp	revengerat

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4584-174-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-175-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-176-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-178-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-179-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-180-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral1/memory/4584-184-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 39 IoCs

Processes:

winrar-x64-611.exeuninstall.exeWinRAR.exeChromeRecovery.exeRevenge-RAT v0.3x.exeTiWorker.exeRevenge-RAT v0.3.exedotNET_Reactor.exeRevenge-RAT v0.3.exeClient.exeClient.exeClient.exeClient.exempress.exedotNET_Reactor.exeded.exeded.exeded.exeGoRC.exeResource Hacker.exeddddd‮4PM..exeddddd‮4PM..exeddddd‮4PM..exeddddd‮4PM..exeClient.exeGoRC.exeResource Hacker.exeew‮4PM..exeGoRC.exeResource Hacker.exebru‮4PM..exeClient.exeClient.exeGoRC.exeResource Hacker.exedotNET_Reactor.exewwww.exewwww.exeClient.exe

pid	process
1396	winrar-x64-611.exe
1956	uninstall.exe
2988	WinRAR.exe
4756	ChromeRecovery.exe
2064	Revenge-RAT v0.3x.exe
4584	TiWorker.exe
1964	Revenge-RAT v0.3.exe
1372	dotNET_Reactor.exe
4012	Revenge-RAT v0.3.exe
1480	Client.exe
4072	Client.exe
5008	Client.exe
4416	Client.exe
5060	mpress.exe
2704	dotNET_Reactor.exe
4944	ded.exe
4992	ded.exe
4788	ded.exe
2284	GoRC.exe
212	Resource Hacker.exe
4640	ddddd‮4PM..exe
544	ddddd‮4PM..exe
4916	ddddd‮4PM..exe
4072	ddddd‮4PM..exe
180	Client.exe
3796	GoRC.exe
3196	Resource Hacker.exe
4772	ew‮4PM..exe
64	GoRC.exe
4508	Resource Hacker.exe
3636	bru‮4PM..exe
1160	Client.exe
2488	Client.exe
2392	GoRC.exe
1492	Resource Hacker.exe
3136	dotNET_Reactor.exe
3140	wwww.exe
1496	wwww.exe
3568	Client.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2700 netsh.exe
3200 netsh.exe

pid	process
2700	netsh.exe
3200	netsh.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winrar-x64-611.exeRevenge-RAT v0.3x.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exebru‮4PM..exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	winrar-x64-611.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Revenge-RAT v0.3x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Revenge-RAT v0.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Revenge-RAT v0.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bru‮4PM..exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Client.exe

Loads dropped DLL 9 IoCs

Processes:

aspnet_compiler.exeaspnet_compiler.exeexplorer.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exeClient.exeaspnet_compiler.exe

pid	process
3004
3724	aspnet_compiler.exe
4480	aspnet_compiler.exe
1880	explorer.exe
2100	aspnet_compiler.exe
1408	aspnet_compiler.exe
4616	aspnet_compiler.exe
1160	Client.exe
208	aspnet_compiler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe	autoit_exe
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe	autoit_exe

Drops file in System32 directory 8 IoCs

Processes:

Revenge-RAT v0.3x.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	Revenge-RAT v0.3x.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	Revenge-RAT v0.3x.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{18ECAF48-72A2-4689-BE77-3D0AF5D09AB5}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{02E79545-05FB-447D-B7D5-5243C80E347B}.catalogItem	svchost.exe
File created	C:\Windows\SysWOW64\TiWorker.exe	Revenge-RAT v0.3x.exe
File opened for modification	C:\Windows\SysWOW64\TiWorker.exe	Revenge-RAT v0.3x.exe
File created	C:\Windows\SysWOW64\config.json	Revenge-RAT v0.3x.exe
File opened for modification	C:\Windows\SysWOW64\config.json	Revenge-RAT v0.3x.exe

Suspicious use of SetThreadContext 25 IoCs

Processes:

Client.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeClient.exeaspnet_compiler.exeew‮4PM..exeaspnet_compiler.exewwww.exeaspnet_compiler.exewwww.exeaspnet_compiler.exeClient.exe

description	pid	process	target process
PID 1480 set thread context of 3724	1480	Client.exe	aspnet_compiler.exe
PID 3724 set thread context of 2424	3724	aspnet_compiler.exe	aspnet_compiler.exe
PID 4072 set thread context of 4480	4072	Client.exe	aspnet_compiler.exe
PID 4480 set thread context of 1300	4480	aspnet_compiler.exe	aspnet_compiler.exe
PID 5008 set thread context of 4936	5008	Client.exe	aspnet_compiler.exe
PID 4936 set thread context of 4508	4936	aspnet_compiler.exe	aspnet_compiler.exe
PID 4416 set thread context of 2096	4416	Client.exe	aspnet_compiler.exe
PID 2096 set thread context of 3412	2096	aspnet_compiler.exe	aspnet_compiler.exe
PID 4640 set thread context of 2100	4640	ddddd‮4PM..exe	aspnet_compiler.exe
PID 2100 set thread context of 1572	2100	aspnet_compiler.exe	aspnet_compiler.exe
PID 544 set thread context of 1408	544	ddddd‮4PM..exe	aspnet_compiler.exe
PID 1408 set thread context of 460	1408	aspnet_compiler.exe	aspnet_compiler.exe
PID 4916 set thread context of 4616	4916	ddddd‮4PM..exe	aspnet_compiler.exe
PID 4616 set thread context of 4036	4616	aspnet_compiler.exe	aspnet_compiler.exe
PID 4072 set thread context of 4468	4072	ddddd‮4PM..exe	aspnet_compiler.exe
PID 4468 set thread context of 4464	4468	aspnet_compiler.exe	aspnet_compiler.exe
PID 180 set thread context of 1880	180	Client.exe	aspnet_compiler.exe
PID 1880 set thread context of 1556	1880	aspnet_compiler.exe	aspnet_compiler.exe
PID 4772 set thread context of 4616	4772	ew‮4PM..exe	aspnet_compiler.exe
PID 4616 set thread context of 3136	4616	aspnet_compiler.exe	aspnet_compiler.exe
PID 3140 set thread context of 208	3140	wwww.exe	aspnet_compiler.exe
PID 208 set thread context of 2964	208	aspnet_compiler.exe	aspnet_compiler.exe
PID 1496 set thread context of 456	1496	wwww.exe	aspnet_compiler.exe
PID 456 set thread context of 1408	456	aspnet_compiler.exe	aspnet_compiler.exe
PID 3568 set thread context of 4540	3568	Client.exe	aspnet_compiler.exe

Drops file in Program Files directory 64 IoCs

Processes:

uninstall.exewinrar-x64-611.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-611.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\manifest.json	elevation_service.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240615937	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-611.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-611.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-611.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3224 4540 WerFault.exe aspnet_compiler.exe
3576 4540 WerFault.exe aspnet_compiler.exe

pid	pid_target	process	target process
3224	4540	WerFault.exe	aspnet_compiler.exe
3576	4540	WerFault.exe	aspnet_compiler.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_compiler.exebru‮4PM..exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exedw20.exeClient.exeClient.exesvchost.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bru‮4PM..exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bru‮4PM..exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4616 schtasks.exe

pid	process
4616	schtasks.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exechrome.exesvchost.exedw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeWinRAR.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	WinRAR.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

Processes:

Revenge-RAT v0.3.exeexplorer.exeexplorer.exeexplorer.exeuninstall.exeRevenge-RAT v0.3.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeaspnet_compiler.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aspnet_compiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Revenge-RAT v0.3.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid process

3636 explorer.exe
1880 explorer.exe
5040 explorer.exe

pid	process
3636	explorer.exe
1880	explorer.exe
5040	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeRevenge-RAT v0.3x.exechrome.exetaskmgr.exesdiagnhost.exetaskmgr.exe

pid	process
400	chrome.exe
400	chrome.exe
2204	chrome.exe
2204	chrome.exe
4044	chrome.exe
4044	chrome.exe
1588	chrome.exe
1588	chrome.exe
1432	chrome.exe
1432	chrome.exe
4856	chrome.exe
4856	chrome.exe
2288	chrome.exe
2288	chrome.exe
3520	chrome.exe
3520	chrome.exe
1588	chrome.exe
1588	chrome.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2064	Revenge-RAT v0.3x.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3112	sdiagnhost.exe
3692	taskmgr.exe
3692	taskmgr.exe
3692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

WinRAR.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exeexplorer.exetaskmgr.exetaskmgr.exe

pid process

2988 WinRAR.exe
1964 Revenge-RAT v0.3.exe
4012 Revenge-RAT v0.3.exe
1880 explorer.exe
2416 taskmgr.exe
3480 taskmgr.exe

pid	process
2988	WinRAR.exe
1964	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
1880	explorer.exe
2416	taskmgr.exe
3480	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

TiWorker.exeRevenge-RAT v0.3.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exeClient.exeaspnet_compiler.exetaskmgr.exedw20.exedw20.exedw20.exesdiagnhost.exetaskmgr.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeddddd‮4PM..exeaspnet_compiler.exeClient.exeaspnet_compiler.exetaskmgr.exeew‮4PM..exeaspnet_compiler.exebru‮4PM..exetaskmgr.exeClient.exeClient.exewwww.exeaspnet_compiler.exetaskmgr.exewwww.exeaspnet_compiler.exeClient.exe

description	pid	process
Token: SeLockMemoryPrivilege	4584	TiWorker.exe
Token: SeDebugPrivilege	1964	Revenge-RAT v0.3.exe
Token: SeDebugPrivilege	1480	Client.exe
Token: SeDebugPrivilege	3724	aspnet_compiler.exe
Token: SeDebugPrivilege	4072	Client.exe
Token: SeDebugPrivilege	4480	aspnet_compiler.exe
Token: SeDebugPrivilege	5008	Client.exe
Token: SeDebugPrivilege	4936	aspnet_compiler.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	2096	aspnet_compiler.exe
Token: SeDebugPrivilege	3596	taskmgr.exe
Token: SeSystemProfilePrivilege	3596	taskmgr.exe
Token: SeCreateGlobalPrivilege	3596	taskmgr.exe
Token: 33	3596	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3596	taskmgr.exe
Token: SeBackupPrivilege	4220	dw20.exe
Token: SeBackupPrivilege	4220	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeBackupPrivilege	3484	dw20.exe
Token: SeBackupPrivilege	3484	dw20.exe
Token: SeDebugPrivilege	3112	sdiagnhost.exe
Token: SeDebugPrivilege	3692	taskmgr.exe
Token: SeSystemProfilePrivilege	3692	taskmgr.exe
Token: SeCreateGlobalPrivilege	3692	taskmgr.exe
Token: 33	3692	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3692	taskmgr.exe
Token: SeDebugPrivilege	4640	ddddd‮4PM..exe
Token: SeDebugPrivilege	2100	aspnet_compiler.exe
Token: SeDebugPrivilege	544	ddddd‮4PM..exe
Token: SeDebugPrivilege	1408	aspnet_compiler.exe
Token: SeDebugPrivilege	4916	ddddd‮4PM..exe
Token: SeDebugPrivilege	4616	aspnet_compiler.exe
Token: SeDebugPrivilege	4072	ddddd‮4PM..exe
Token: SeDebugPrivilege	4468	aspnet_compiler.exe
Token: SeDebugPrivilege	180	Client.exe
Token: SeDebugPrivilege	1880	aspnet_compiler.exe
Token: SeDebugPrivilege	2416	taskmgr.exe
Token: SeSystemProfilePrivilege	2416	taskmgr.exe
Token: SeCreateGlobalPrivilege	2416	taskmgr.exe
Token: SeDebugPrivilege	4772	ew‮4PM..exe
Token: SeDebugPrivilege	4616	aspnet_compiler.exe
Token: 33	2416	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2416	taskmgr.exe
Token: SeDebugPrivilege	3636	bru‮4PM..exe
Token: SeDebugPrivilege	4388	taskmgr.exe
Token: SeSystemProfilePrivilege	4388	taskmgr.exe
Token: SeCreateGlobalPrivilege	4388	taskmgr.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	2488	Client.exe
Token: 33	4388	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4388	taskmgr.exe
Token: SeDebugPrivilege	3140	wwww.exe
Token: SeDebugPrivilege	208	aspnet_compiler.exe
Token: SeDebugPrivilege	3480	taskmgr.exe
Token: SeSystemProfilePrivilege	3480	taskmgr.exe
Token: SeCreateGlobalPrivilege	3480	taskmgr.exe
Token: SeDebugPrivilege	1496	wwww.exe
Token: SeDebugPrivilege	456	aspnet_compiler.exe
Token: SeDebugPrivilege	3568	Client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeWinRAR.exeRevenge-RAT v0.3.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
2988	WinRAR.exe
1964	Revenge-RAT v0.3.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeRevenge-RAT v0.3.exeRevenge-RAT v0.3.exetaskmgr.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
1964	Revenge-RAT v0.3.exe
1964	Revenge-RAT v0.3.exe
1964	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

OpenWith.exewinrar-x64-611.exeWinRAR.exeRevenge-RAT v0.3x.exeRevenge-RAT v0.3.exeilasm.exeexplorer.exeRevenge-RAT v0.3.exeilasm.exeexplorer.exedw20.exedw20.exedw20.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeilasm.exeResource Hacker.exeexplorer.exe

pid	process
2656	OpenWith.exe
1396	winrar-x64-611.exe
1396	winrar-x64-611.exe
2988	WinRAR.exe
2988	WinRAR.exe
2064	Revenge-RAT v0.3x.exe
1964	Revenge-RAT v0.3.exe
1964	Revenge-RAT v0.3.exe
1964	Revenge-RAT v0.3.exe
804	ilasm.exe
3636	explorer.exe
3636	explorer.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
2808	ilasm.exe
1880	explorer.exe
1880	explorer.exe
4220	dw20.exe
4416	dw20.exe
3484	dw20.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
2220	ilasm.exe
212	Resource Hacker.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
544	ilasm.exe
3196	Resource Hacker.exe
4012	Revenge-RAT v0.3.exe
1568	ilasm.exe
4508	Resource Hacker.exe
4012	Revenge-RAT v0.3.exe
4012	Revenge-RAT v0.3.exe
3928	ilasm.exe
1492	Resource Hacker.exe
5040	explorer.exe
5040	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2204 wrote to memory of 2248	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2248	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 400	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 400	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 4312	2204	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hitho.lua
1⤵
PID:4904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d814f50,0x7ffd6d814f60,0x7ffd6d814f70
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1592 /prefetch:2
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:8
2⤵
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6836 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7132 /prefetch:8
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7012 /prefetch:8
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7496 /prefetch:8
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7620 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7576 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7792 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
2⤵
PID:3928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3300 /prefetch:8
2⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
2⤵
PID:3936

C:\Users\Admin\Downloads\winrar-x64-611.exe
"C:\Users\Admin\Downloads\winrar-x64-611.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
2⤵
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Revenge-RAT v0.3.zip"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5276 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:8
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 /prefetch:8
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1260 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7420 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:8
2⤵
PID:588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,666477468288004986,17275203332089860481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1892

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:340

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d7aea397-d806-43ad-9333-de4f9d7335f8} --system
2⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
2⤵
PID:1572

C:\Windows\system32\schtasks.exe
schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
3⤵
PID:2444

C:\Windows\system32\schtasks.exe
schtasks /End /TN "WindowsUpdate"
3⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
2⤵
PID:4256

C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "WindowsUpdate" /F
3⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
2⤵
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
2⤵
PID:2416

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
3⤵
- Modifies Windows Firewall
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
2⤵
PID:2080

C:\Windows\system32\schtasks.exe
schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
3⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
2⤵
PID:5096

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
3⤵
PID:4188

C:\Windows\system32\schtasks.exe
schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
2⤵
PID:1752

C:\Windows\system32\certutil.exe
certutil –addstore –f root MicrosoftWindows.crt
3⤵
PID:3636

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\Client.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\Client.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\Client.exe"
3⤵
- Executes dropped EXE
PID:1372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\Client.exe
3⤵
PID:2040

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ded.exe" /resource:Extensions\Admin.res
4⤵
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB256.tmp" "Extensions\Admin.res"
5⤵
PID:1820

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\mpress.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\mpress.exe" C:\Users\Admin\Downloads\ded.exe -s
4⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\ded.exe" -antitamp[1] -suppressildasm[1] -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\ded.exe"
4⤵
- Executes dropped EXE
PID:2704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\ded.exe
4⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ddddd.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exe
Extensions\GoRC /r Extensions\Information.rc
4⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe
"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\ddddd.exe,C:\Users\Admin\Downloads\ddddd.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\ew.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:544

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exe
Extensions\GoRC /r Extensions\Information.rc
4⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe
"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\ew.exe,C:\Users\Admin\Downloads\ew.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\bru.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exe
Extensions\GoRC /r Extensions\Information.rc
4⤵
- Executes dropped EXE
PID:64

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe
"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\bru.exe,C:\Users\Admin\Downloads\bru.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Downloads\wwww.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\GoRC.exe
Extensions\GoRC /r Extensions\Information.rc
4⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Resource Hacker.exe
"Extensions\Resource Hacker" -addoverwrite C:\Users\Admin\Downloads\wwww.exe,C:\Users\Admin\Downloads\wwww.exe,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\Information.res,VERSIONINFO,1,
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Extensions\dotNET_Reactor.exe" dotNET_Reactor.exe -file "C:\Users\Admin\Downloads\wwww.exe" -obfuscate_public_types[1] -stringencryption[1] -obfuscation[1] -targetfile "C:\Users\Admin\Downloads\wwww.exe"
4⤵
- Executes dropped EXE
PID:3136

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select,C:\Users\Admin\Downloads\wwww.exe
4⤵
PID:2296

C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:2424

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
5⤵
PID:1300

C:\Users\Admin\Downloads\Client.exe
"C:\Users\Admin\Downloads\Client.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
6⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
7⤵
PID:4508

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
8⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
9⤵
PID:3412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Users\Admin\Downloads\ded.exe
"C:\Users\Admin\Downloads\ded.exe"
2⤵
- Executes dropped EXE
PID:4944

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 780
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Users\Admin\Downloads\ded.exe
"C:\Users\Admin\Downloads\ded.exe"
2⤵
- Executes dropped EXE
PID:4992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 776
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Users\Admin\Downloads\ded.exe
"C:\Users\Admin\Downloads\ded.exe"
2⤵
- Executes dropped EXE
PID:4788

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 776
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\ded.exe" ContextMenu
2⤵
PID:4348

C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW71ED.xml /skip TRUE
3⤵
PID:1712

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Users\Admin\Downloads\ddddd‮4PM..exe
"C:\Users\Admin\Downloads\ddddd‮4PM..exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:1572

C:\Users\Admin\Downloads\ddddd‮4PM..exe
"C:\Users\Admin\Downloads\ddddd‮4PM..exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
5⤵
PID:460

C:\Users\Admin\Downloads\ddddd‮4PM..exe
"C:\Users\Admin\Downloads\ddddd‮4PM..exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
7⤵
PID:4036

C:\Users\Admin\Downloads\ddddd‮4PM..exe
"C:\Users\Admin\Downloads\ddddd‮4PM..exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
8⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
9⤵
PID:4464

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
10⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
11⤵
PID:1556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Users\Admin\Downloads\ew‮4PM..exe
"C:\Users\Admin\Downloads\ew‮4PM..exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
3⤵
PID:3136

C:\Users\Admin\Downloads\bru‮4PM..exe
"C:\Users\Admin\Downloads\bru‮4PM..exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\Downloads\wwww.exe
"C:\Users\Admin\Downloads\wwww.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2964

C:\Users\Admin\Downloads\wwww.exe
"C:\Users\Admin\Downloads\wwww.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
6⤵
PID:1408

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
7⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 228
8⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 232
8⤵
- Program crash
PID:3576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4540 -ip 4540
1⤵
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir340_135590939\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Program Files\WinRAR\Rar.txt
Filesize
107KB

MD5
8933d6e810668af29d7ba8f1c3b2b9ff

SHA1
760cbb236c4ca6e0003582aaefd72ff8b1c872aa

SHA256
cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

SHA512
344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

Download Submit
C:\Program Files\WinRAR\RarExt.dll
Filesize
632KB

MD5
650a771d005941c7a23926011d75ad8f

SHA1
84b346acd006f21d7ffb8d5ea5937ec0ee3daa4f

SHA256
b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f

SHA512
4724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad

Download Submit
C:\Program Files\WinRAR\Uninstall.exe
Filesize
412KB

MD5
92667e28583a9489e3cf4f1a7fd6636e

SHA1
faa09990ba4daae970038ed44e3841151d6e7f28

SHA256
9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

SHA512
63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt
Filesize
95KB

MD5
d4c768c52ee077eb09bac094f4af8310

SHA1
c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

SHA256
8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

SHA512
5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

Download Submit
C:\Program Files\WinRAR\WinRAR.chm
Filesize
314KB

MD5
81b236ef16aaa6a3936fd449b12b82a2

SHA1
698acb3c862c7f3ecf94971e4276e531914e67bc

SHA256
d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

SHA512
968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
Filesize
2.3MB

MD5
0b114fc0f4b6d49f57b3b01dd9ea6a8c

SHA1
23e1480c3ff3a54e712d759e9325d362bf52fabd

SHA256
f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

SHA512
e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe
Filesize
8.6MB

MD5
d1e07bb41ff7de2c390da54e77e7b12f

SHA1
086be6814f70e8ec023f9c9572fef6b46fdaf838

SHA256
b265ae51d014e34ef1db74dc62530e5d146114a3dd3f8eefd80a7b66794cfd17

SHA512
2aa0c7a92b06c477687d3c2fa02b878caf08345c52b51543a429fc8e9d74761bea3d70a0aebc617a04241f8ab85132befb4efb9db8cf054fd273683a05946805

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3x.exe
Filesize
8.6MB

MD5
d1e07bb41ff7de2c390da54e77e7b12f

SHA1
086be6814f70e8ec023f9c9572fef6b46fdaf838

SHA256
b265ae51d014e34ef1db74dc62530e5d146114a3dd3f8eefd80a7b66794cfd17

SHA512
2aa0c7a92b06c477687d3c2fa02b878caf08345c52b51543a429fc8e9d74761bea3d70a0aebc617a04241f8ab85132befb4efb9db8cf054fd273683a05946805

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v0.3.zip
Filesize
18.5MB

MD5
a284f3db141e523862caab4bbab2ddad

SHA1
f9b60df687cb5aa472c476818405a98fb8d59f00

SHA256
b0e50a5a8fe0c15dae80c41818571ca1b65a2d6868bfc626865ae673df51df66

SHA512
bbcda1e425310bdcabeb126a18ec8a8d958f0f1e7d909f9ff55d3dcaff430f4909de6137f33bafb7b97ba6cd9bbfe236e47ab1bd1299c6cc280fcd50d2674beb

Download Submit
C:\Users\Admin\Downloads\winrar-x64-611.exe
Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
C:\Users\Admin\Downloads\winrar-x64-611.exe
Filesize
3.3MB

MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3

SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

Download Submit
C:\Windows\SysWOW64\MicrosoftWindows.xml
Filesize
4KB

MD5
b1cbfcc7b7a5716a30b77f5dc5bb6135

SHA1
5c397ffd7a845b2fdf9e82ff73698784a91a2fb9

SHA256
96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430

SHA512
d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

Download Submit
C:\Windows\SysWOW64\TiWorker.exe
Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
\??\pipe\crashpad_2204_PJBGXOLPCBQTHENM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/180-312-0x0000000000000000-mapping.dmp

Download
memory/180-314-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/208-337-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/208-335-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/212-274-0x0000000000000000-mapping.dmp

Download
memory/460-289-0x0000000000000000-mapping.dmp

Download
memory/460-291-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/544-285-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/544-283-0x0000000000000000-mapping.dmp

Download
memory/804-188-0x0000000000000000-mapping.dmp

Download
memory/1160-331-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/1300-220-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-217-0x0000000000000000-mapping.dmp

Download
memory/1372-189-0x0000000000000000-mapping.dmp

Download
memory/1372-190-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-191-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1396-133-0x0000000000000000-mapping.dmp

Download
memory/1408-293-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1408-288-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1408-287-0x0000000000407E4E-mapping.dmp

Download
memory/1480-202-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1496-160-0x0000000000000000-mapping.dmp

Download
memory/1556-318-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-155-0x0000000000000000-mapping.dmp

Download
memory/1572-279-0x0000000000000000-mapping.dmp

Download
memory/1572-280-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1572-281-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-169-0x0000000000000000-mapping.dmp

Download
memory/1712-268-0x0000000000000000-mapping.dmp

Download
memory/1752-172-0x0000000000000000-mapping.dmp

Download
memory/1820-251-0x0000000000000000-mapping.dmp

Download
memory/1880-320-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1880-316-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/1956-137-0x0000000000000000-mapping.dmp

Download
memory/1964-186-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmp

Filesize
24KB

Download
memory/1964-187-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmp

Filesize
24KB

Download
memory/1964-183-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-182-0x000002A7CA500000-0x000002A7CB2C4000-memory.dmp

Filesize
13.8MB

Download
memory/1964-181-0x0000000000000000-mapping.dmp

Download
memory/1964-194-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-185-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-195-0x000002A7E58E9000-0x000002A7E58EF000-memory.dmp

Filesize
24KB

Download
memory/2040-192-0x0000000000000000-mapping.dmp

Download
memory/2080-164-0x0000000000000000-mapping.dmp

Download
memory/2096-245-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-247-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-246-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2096-237-0x0000000000000000-mapping.dmp

Download
memory/2100-276-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2100-277-0x0000000000407E4E-mapping.dmp

Download
memory/2100-282-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-284-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2100-278-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2220-272-0x0000000000000000-mapping.dmp

Download
memory/2284-273-0x0000000000000000-mapping.dmp

Download
memory/2416-162-0x0000000000000000-mapping.dmp

Download
memory/2424-205-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2424-209-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2424-204-0x0000000000000000-mapping.dmp

Download
memory/2424-206-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2444-156-0x0000000000000000-mapping.dmp

Download
memory/2488-332-0x00007FFD54E20000-0x00007FFD55856000-memory.dmp

Filesize
10.2MB

Download
memory/2700-161-0x0000000000000000-mapping.dmp

Download
memory/2704-256-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2704-254-0x0000000000000000-mapping.dmp

Download
memory/2704-255-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/2808-250-0x0000000000000000-mapping.dmp

Download
memory/2964-342-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2988-144-0x0000000000000000-mapping.dmp

Download
memory/3112-269-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-271-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-270-0x0000015075700000-0x0000015075722000-memory.dmp

Filesize
136KB

Download
memory/3200-163-0x0000000000000000-mapping.dmp

Download
memory/3412-244-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3412-242-0x0000000000000000-mapping.dmp

Download
memory/3476-257-0x0000000000000000-mapping.dmp

Download
memory/3484-266-0x0000000000000000-mapping.dmp

Download
memory/3636-330-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/3636-177-0x0000000000000000-mapping.dmp

Download
memory/3724-199-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3724-198-0x0000000000000000-mapping.dmp

Download
memory/3724-203-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3724-201-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3724-211-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3724-208-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4012-249-0x0000010FBA3E9000-0x0000010FBA3EF000-memory.dmp

Filesize
24KB

Download
memory/4012-196-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/4012-311-0x0000010FBE260000-0x0000010FBE2BA000-memory.dmp

Filesize
360KB

Download
memory/4012-248-0x0000010FBA3E9000-0x0000010FBA3EF000-memory.dmp

Filesize
24KB

Download
memory/4012-207-0x0000010FBB950000-0x0000010FBB966000-memory.dmp

Filesize
88KB

Download
memory/4012-321-0x0000010FC0E10000-0x0000010FC0E14000-memory.dmp

Filesize
16KB

Download
memory/4012-193-0x0000000000000000-mapping.dmp

Download
memory/4012-319-0x0000010FC0E10000-0x0000010FC0E14000-memory.dmp

Filesize
16KB

Download
memory/4012-197-0x00007FFD67E20000-0x00007FFD688E1000-memory.dmp

Filesize
10.8MB

Download
memory/4036-298-0x0000000000000000-mapping.dmp

Download
memory/4036-300-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4072-210-0x0000000000000000-mapping.dmp

Download
memory/4072-303-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4072-216-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4072-159-0x0000000000000000-mapping.dmp

Download
memory/4072-301-0x0000000000000000-mapping.dmp

Download
memory/4188-168-0x0000000000000000-mapping.dmp

Download
memory/4220-260-0x0000000000000000-mapping.dmp

Download
memory/4256-158-0x0000000000000000-mapping.dmp

Download
memory/4348-267-0x0000000000000000-mapping.dmp

Download
memory/4416-263-0x0000000000000000-mapping.dmp

Download
memory/4416-241-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4416-236-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4416-234-0x0000000000000000-mapping.dmp

Download
memory/4464-307-0x0000000000000000-mapping.dmp

Download
memory/4464-309-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-306-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-313-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-305-0x0000000000407E4E-mapping.dmp

Download
memory/4468-310-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-223-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-221-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-218-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-212-0x0000000000000000-mapping.dmp

Download
memory/4508-232-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4508-230-0x0000000000000000-mapping.dmp

Download
memory/4540-354-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/4540-349-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4540-357-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/4584-178-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-176-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-175-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-179-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-180-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-184-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-174-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-173-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4584-171-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4616-296-0x0000000000407E4E-mapping.dmp

Download
memory/4616-324-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4616-165-0x0000000000000000-mapping.dmp

Download
memory/4616-297-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4616-302-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4640-275-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4756-151-0x0000000000000000-mapping.dmp

Download
memory/4772-323-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4788-264-0x0000000000000000-mapping.dmp

Download
memory/4788-265-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4916-294-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4916-292-0x0000000000000000-mapping.dmp

Download
memory/4936-235-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-224-0x0000000000000000-mapping.dmp

Download
memory/4936-229-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-233-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/4944-259-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/4944-258-0x0000000000000000-mapping.dmp

Download
memory/4964-157-0x0000000000000000-mapping.dmp

Download
memory/4992-261-0x0000000000000000-mapping.dmp

Download
memory/4992-262-0x00007FFD54470000-0x00007FFD54EA6000-memory.dmp

Filesize
10.2MB

Download
memory/5008-222-0x0000000000000000-mapping.dmp

Download
memory/5008-228-0x0000000074900000-0x0000000074EB1000-memory.dmp

Filesize
5.7MB

Download
memory/5060-252-0x0000000000000000-mapping.dmp

Download
memory/5060-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5096-167-0x0000000000000000-mapping.dmp

Download