darkcomet | 0345f6737ce5fd92f26f52bc57b43139abe9bd32acab831644f4054c45bee75c

Analysis

max time kernel
1801s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2022 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mega_joiner.exe
Size

2.0MB
MD5

fa70cd866b1adbf3df6c6789bfae201e
SHA1

f97b81f64d2af855ab2f903af64ddfb1eeabd3e4
SHA256

0345f6737ce5fd92f26f52bc57b43139abe9bd32acab831644f4054c45bee75c
SHA512

b046c0a18f20531c008c0213f5b439531186903a3012b86489a1b3b0d582b5d7da90b695bbfccdbf597266804295d4dbd30eaab86607d2e169d094eb21b64f19

Score

10^/10

darkcomet xmrig guest16 discovery evasion miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

mrchamp.hopto.org:1604

Mutex

DC_MUTEX-M70B9H0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
RxDT39JFfM7e
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

setup v1.1.bat

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	setup v1.1.bat

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1528-236-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/1528-237-0x00000001402E255C-mapping.dmp	xmrig
behavioral1/memory/1528-238-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/1528-239-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/1528-243-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/1528-247-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Executes dropped EXE 20 IoCs

Processes:

._cache_Mega_joiner.exeSynaptics.exesetup v1.1.batMega_Joiner.exemsdcsc.exeFreeBLASTHACK3.exe._cache_FreeBLASTHACK3.exeWallHack.exe._cache_WallHack.exeExtrimHack by Tickek.exeFreeBLASTHACK3.exe._cache_FreeBLASTHACK3.exesihost64.exeServices.exesihost64.exeChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
4516	._cache_Mega_joiner.exe
1120	Synaptics.exe
1820	setup v1.1.bat
2112	Mega_Joiner.exe
3428	msdcsc.exe
4348	FreeBLASTHACK3.exe
3736	._cache_FreeBLASTHACK3.exe
2656	WallHack.exe
1076	._cache_WallHack.exe
3560	ExtrimHack by Tickek.exe
3396	FreeBLASTHACK3.exe
1404	._cache_FreeBLASTHACK3.exe
4520	sihost64.exe
3172	Services.exe
2076	sihost64.exe
4128	ChromeRecovery.exe
4880	software_reporter_tool.exe
2624	software_reporter_tool.exe
1496	software_reporter_tool.exe
1932	software_reporter_tool.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4344 attrib.exe
4388 attrib.exe

pid	process
4344	attrib.exe
4388	attrib.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Mega_joiner.exe	upx
behavioral1/memory/2112-146-0x0000000000400000-0x0000000000582000-memory.dmp	upx
behavioral1/memory/2112-152-0x0000000000400000-0x0000000000582000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Mega_Joiner.exe	upx
behavioral1/memory/2112-245-0x0000000000400000-0x0000000000582000-memory.dmp	upx

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mega_joiner.exesetup v1.1.batFreeBLASTHACK3.exeWallHack.exe._cache_WallHack.exeFreeBLASTHACK3.exeExtrimHack by Tickek.exeServices.exe._cache_Mega_joiner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Mega_joiner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	setup v1.1.bat
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	FreeBLASTHACK3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	WallHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	._cache_WallHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	FreeBLASTHACK3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	ExtrimHack by Tickek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	._cache_Mega_joiner.exe

Loads dropped DLL 12 IoCs

Processes:

Synaptics.exeFreeBLASTHACK3.exesoftware_reporter_tool.exe

pid	process
1120	Synaptics.exe
1120	Synaptics.exe
1120	Synaptics.exe
3396	FreeBLASTHACK3.exe
3396	FreeBLASTHACK3.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe
1496	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mega_joiner.exesetup v1.1.batmsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Mega_joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	setup v1.1.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Services.exe

description pid process target process

PID 3172 set thread context of 1528 3172 Services.exe explorer.exe

description	pid	process	target process
PID 3172 set thread context of 1528	3172	Services.exe	explorer.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3712 schtasks.exe
1604 schtasks.exe

pid	process
3712	schtasks.exe
1604	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 64 IoCs

Processes:

Mega_Joiner.exesetup v1.1.batWallHack.exechrome.exeFreeBLASTHACK3.exeFreeBLASTHACK3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Mega_Joiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup v1.1.bat
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Mega_Joiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f80cb859f6720028040b29b5540cc05aab60000	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Mega_Joiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WallHack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193"	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Mega_Joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy	Mega_Joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Mega_Joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Mega_Joiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FreeBLASTHACK3.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	Mega_Joiner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FreeBLASTHACK3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Mega_Joiner.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000e5500fdf70aed8015694e84b38b2d80143e2e84b38b2d80114000000	Mega_Joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlgLegacy\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000030000000200000001000000ffffffff	Mega_Joiner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	Mega_Joiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Mega_Joiner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	Mega_Joiner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe._cache_FreeBLASTHACK3.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe._cache_FreeBLASTHACK3.exeExtrimHack by Tickek.exeServices.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4252	chrome.exe
4252	chrome.exe
2252	chrome.exe
2252	chrome.exe
4284	chrome.exe
4284	chrome.exe
1724	chrome.exe
1724	chrome.exe
4480	chrome.exe
4480	chrome.exe
832	chrome.exe
832	chrome.exe
2736	chrome.exe
2736	chrome.exe
3404	chrome.exe
3404	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
1720	chrome.exe
1720	chrome.exe
316	chrome.exe
316	chrome.exe
4764	chrome.exe
4764	chrome.exe
3736	._cache_FreeBLASTHACK3.exe
3736	._cache_FreeBLASTHACK3.exe
4360	chrome.exe
4360	chrome.exe
4536	chrome.exe
4536	chrome.exe
1288	chrome.exe
1288	chrome.exe
1268	chrome.exe
1268	chrome.exe
3420	chrome.exe
3420	chrome.exe
3960	chrome.exe
3960	chrome.exe
3236	chrome.exe
3236	chrome.exe
2392	chrome.exe
2392	chrome.exe
2072	chrome.exe
2072	chrome.exe
1404	._cache_FreeBLASTHACK3.exe
1404	._cache_FreeBLASTHACK3.exe
3560	ExtrimHack by Tickek.exe
3560	ExtrimHack by Tickek.exe
3172	Services.exe
3172	Services.exe
1088	chrome.exe
1088	chrome.exe
3772	chrome.exe
3772	chrome.exe
4544	chrome.exe
4544	chrome.exe
4956	chrome.exe
4956	chrome.exe
4208	chrome.exe
4208	chrome.exe
3704	chrome.exe
3704	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

msdcsc.exeMega_Joiner.exe

pid process

3428 msdcsc.exe
2112 Mega_Joiner.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
3428	msdcsc.exe
2112	Mega_Joiner.exe

pid	process
644

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

setup v1.1.batmsdcsc.exeExtrimHack by Tickek.exeServices.exeexplorer.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1820	setup v1.1.bat
Token: SeSecurityPrivilege	1820	setup v1.1.bat
Token: SeTakeOwnershipPrivilege	1820	setup v1.1.bat
Token: SeLoadDriverPrivilege	1820	setup v1.1.bat
Token: SeSystemProfilePrivilege	1820	setup v1.1.bat
Token: SeSystemtimePrivilege	1820	setup v1.1.bat
Token: SeProfSingleProcessPrivilege	1820	setup v1.1.bat
Token: SeIncBasePriorityPrivilege	1820	setup v1.1.bat
Token: SeCreatePagefilePrivilege	1820	setup v1.1.bat
Token: SeBackupPrivilege	1820	setup v1.1.bat
Token: SeRestorePrivilege	1820	setup v1.1.bat
Token: SeShutdownPrivilege	1820	setup v1.1.bat
Token: SeDebugPrivilege	1820	setup v1.1.bat
Token: SeSystemEnvironmentPrivilege	1820	setup v1.1.bat
Token: SeChangeNotifyPrivilege	1820	setup v1.1.bat
Token: SeRemoteShutdownPrivilege	1820	setup v1.1.bat
Token: SeUndockPrivilege	1820	setup v1.1.bat
Token: SeManageVolumePrivilege	1820	setup v1.1.bat
Token: SeImpersonatePrivilege	1820	setup v1.1.bat
Token: SeCreateGlobalPrivilege	1820	setup v1.1.bat
Token: 33	1820	setup v1.1.bat
Token: 34	1820	setup v1.1.bat
Token: 35	1820	setup v1.1.bat
Token: 36	1820	setup v1.1.bat
Token: SeIncreaseQuotaPrivilege	3428	msdcsc.exe
Token: SeSecurityPrivilege	3428	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3428	msdcsc.exe
Token: SeLoadDriverPrivilege	3428	msdcsc.exe
Token: SeSystemProfilePrivilege	3428	msdcsc.exe
Token: SeSystemtimePrivilege	3428	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3428	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3428	msdcsc.exe
Token: SeCreatePagefilePrivilege	3428	msdcsc.exe
Token: SeBackupPrivilege	3428	msdcsc.exe
Token: SeRestorePrivilege	3428	msdcsc.exe
Token: SeShutdownPrivilege	3428	msdcsc.exe
Token: SeDebugPrivilege	3428	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3428	msdcsc.exe
Token: SeChangeNotifyPrivilege	3428	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3428	msdcsc.exe
Token: SeUndockPrivilege	3428	msdcsc.exe
Token: SeManageVolumePrivilege	3428	msdcsc.exe
Token: SeImpersonatePrivilege	3428	msdcsc.exe
Token: SeCreateGlobalPrivilege	3428	msdcsc.exe
Token: 33	3428	msdcsc.exe
Token: 34	3428	msdcsc.exe
Token: 35	3428	msdcsc.exe
Token: 36	3428	msdcsc.exe
Token: SeDebugPrivilege	3560	ExtrimHack by Tickek.exe
Token: SeDebugPrivilege	3172	Services.exe
Token: SeLockMemoryPrivilege	1528	explorer.exe
Token: SeLockMemoryPrivilege	1528	explorer.exe
Token: 33	2624	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2624	software_reporter_tool.exe
Token: 33	4880	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4880	software_reporter_tool.exe
Token: 33	1496	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1496	software_reporter_tool.exe
Token: 33	1932	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1932	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeMega_Joiner.exe

pid	process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
2252	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe
3772	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Mega_Joiner.exemsdcsc.exe

pid process

2112 Mega_Joiner.exe
3428 msdcsc.exe
2112 Mega_Joiner.exe
2112 Mega_Joiner.exe
2112 Mega_Joiner.exe
2112 Mega_Joiner.exe
2112 Mega_Joiner.exe

pid	process
2112	Mega_Joiner.exe
3428	msdcsc.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe
2112	Mega_Joiner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Mega_joiner.exe._cache_Mega_joiner.exesetup v1.1.batcmd.execmd.exemsdcsc.exechrome.exe

description	pid	process	target process
PID 832 wrote to memory of 4516	832	Mega_joiner.exe	._cache_Mega_joiner.exe
PID 832 wrote to memory of 4516	832	Mega_joiner.exe	._cache_Mega_joiner.exe
PID 832 wrote to memory of 4516	832	Mega_joiner.exe	._cache_Mega_joiner.exe
PID 832 wrote to memory of 1120	832	Mega_joiner.exe	Synaptics.exe
PID 832 wrote to memory of 1120	832	Mega_joiner.exe	Synaptics.exe
PID 832 wrote to memory of 1120	832	Mega_joiner.exe	Synaptics.exe
PID 4516 wrote to memory of 1820	4516	._cache_Mega_joiner.exe	setup v1.1.bat
PID 4516 wrote to memory of 1820	4516	._cache_Mega_joiner.exe	setup v1.1.bat
PID 4516 wrote to memory of 1820	4516	._cache_Mega_joiner.exe	setup v1.1.bat
PID 4516 wrote to memory of 2112	4516	._cache_Mega_joiner.exe	Mega_Joiner.exe
PID 4516 wrote to memory of 2112	4516	._cache_Mega_joiner.exe	Mega_Joiner.exe
PID 4516 wrote to memory of 2112	4516	._cache_Mega_joiner.exe	Mega_Joiner.exe
PID 1820 wrote to memory of 4976	1820	setup v1.1.bat	cmd.exe
PID 1820 wrote to memory of 4976	1820	setup v1.1.bat	cmd.exe
PID 1820 wrote to memory of 4976	1820	setup v1.1.bat	cmd.exe
PID 1820 wrote to memory of 2240	1820	setup v1.1.bat	cmd.exe
PID 1820 wrote to memory of 2240	1820	setup v1.1.bat	cmd.exe
PID 1820 wrote to memory of 2240	1820	setup v1.1.bat	cmd.exe
PID 2240 wrote to memory of 4344	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 4344	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 4344	2240	cmd.exe	attrib.exe
PID 4976 wrote to memory of 4388	4976	cmd.exe	attrib.exe
PID 4976 wrote to memory of 4388	4976	cmd.exe	attrib.exe
PID 4976 wrote to memory of 4388	4976	cmd.exe	attrib.exe
PID 1820 wrote to memory of 3428	1820	setup v1.1.bat	msdcsc.exe
PID 1820 wrote to memory of 3428	1820	setup v1.1.bat	msdcsc.exe
PID 1820 wrote to memory of 3428	1820	setup v1.1.bat	msdcsc.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 3428 wrote to memory of 2560	3428	msdcsc.exe	notepad.exe
PID 2252 wrote to memory of 1436	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1436	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe
PID 2252 wrote to memory of 1056	2252	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4344 attrib.exe
4388 attrib.exe

pid	process
4344	attrib.exe
4388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Mega_joiner.exe
"C:\Users\Admin\AppData\Local\Temp\Mega_joiner.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\._cache_Mega_joiner.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Mega_joiner.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat
"C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4344

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3428

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\Mega_Joiner.exe
"C:\Users\Admin\AppData\Local\Temp\Mega_Joiner.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2112

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc564f50,0x7ffcfc564f60,0x7ffcfc564f70
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3024 /prefetch:8
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3792 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1568 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3652 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,6265707516941323012,14225640599832288053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4516

C:\Users\Admin\Desktop\FreeBLASTHACK3.exe
"C:\Users\Admin\Desktop\FreeBLASTHACK3.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4348

C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe
"C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5016

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc564f50,0x7ffcfc564f60,0x7ffcfc564f70
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
2⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1144 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6720 /prefetch:8
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,6503501350947933725,7946908567173500550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:448

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2192

C:\Users\Admin\Desktop\WallHack.exe
"C:\Users\Admin\Desktop\WallHack.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2656

C:\Users\Admin\Desktop\._cache_WallHack.exe
"C:\Users\Admin\Desktop\._cache_WallHack.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1076

C:\Users\Admin\AppData\Local\Temp\ExtrimHack by Tickek.exe
"C:\Users\Admin\AppData\Local\Temp\ExtrimHack by Tickek.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
4⤵
PID:616

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
5⤵
- Creates scheduled task(s)
PID:3712

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Roaming\Services.exe
"C:\Users\Admin\AppData\Roaming\Services.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit
5⤵
PID:1400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'
6⤵
- Creates scheduled task(s)
PID:1604

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
- Executes dropped EXE
PID:2076

C:\Windows\explorer.exe
C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6302247 --pass=cheatcs --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=2 --unam-idle-cpu=80 --unam-stealth
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Local\Temp\FreeBLASTHACK3.exe
"C:\Users\Admin\AppData\Local\Temp\FreeBLASTHACK3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3396

C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe
"C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
5⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc564f50,0x7ffcfc564f60,0x7ffcfc564f70
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2408 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
2⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 /prefetch:8
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3416 /prefetch:2
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:8
2⤵
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
2⤵
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:2896

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\103.287.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\103.287.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=jUcxSu17FdsSCd2kx4HJzD8a7BhzINGzMbRkUfDw --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=103.287.200 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff758d9ecc8,0x7ff758d9ecd8,0x7ff758d9ece8
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4880_HZWTUFXBUIXWBPEC" --sandboxed-process-id=2 --init-done-notifier=752 --sandbox-mojo-pipe-token=5301965986688144390 --mojo-platform-channel-handle=728 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\103.287.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4880_HZWTUFXBUIXWBPEC" --sandboxed-process-id=3 --init-done-notifier=1012 --sandbox-mojo-pipe-token=15071513190819224886 --mojo-platform-channel-handle=1008
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,17804694643728522234,12594474777468755312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
2⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4988

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4988_1483745804\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={9aff978e-534a-4bf6-a23f-1b74d1c13408} --system
2⤵
- Executes dropped EXE
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
ae97bebd310ba5cc61ce9fa4bf13d8b4

SHA1
cb15bcf39ba36451ce23fee1e86d03e59833dd3a

SHA256
f773b61190c1040cb0fa638e1b81d4bc6e371d23f088307dde003b1645b16c5e

SHA512
46e0d7b1a52c1e25bfaf2f4611b451fb7b0cb67c718b9b489555ae56a2961e499d13033cc90e0a01ea0044accf4b67f637df520fa188051fdf7082d989b9ab18

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
ae97bebd310ba5cc61ce9fa4bf13d8b4

SHA1
cb15bcf39ba36451ce23fee1e86d03e59833dd3a

SHA256
f773b61190c1040cb0fa638e1b81d4bc6e371d23f088307dde003b1645b16c5e

SHA512
46e0d7b1a52c1e25bfaf2f4611b451fb7b0cb67c718b9b489555ae56a2961e499d13033cc90e0a01ea0044accf4b67f637df520fa188051fdf7082d989b9ab18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3734565ac3cb417390678199411b2f01

SHA1
f1fa62547156c234974152fd12275b3fc7e786db

SHA256
3c22c3d3caa9ecac1bf3ef5b4f75cd7ae35d1e17e9316304463af2ca7b3726fd

SHA512
9ab906813dde11e99dd3e7b45ebe77254073bbf7a471c8e5ebdc82eea61d362612519bb84a4a122ed5e582209fd2eaa33e32905f2746d3eed62004d3610f23aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
b1275108213ae414d22c12eb818a541c

SHA1
765a06f9ec8655cc0681fc98fcc32d5b085fc747

SHA256
dd40fb642d03a42d6d1a8b6a89ceee55198e821e7c40daad86ba6da8739a92c7

SHA512
8db3929b092d1abbd1c224fa6e9617b64ef70859e23858df81a8d2406c27de42a69e3a36debc88e5ee7dce6fb6cac91f4e75dcf17dc48d9990379ae912d4633f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
4e4273c2095197f8c851d4a9c49e8864

SHA1
d7780e5307bacf5c63a9d4be52307b3c356c1f05

SHA256
20d842863b27316ede794185fea33caa0e9f7ecb11b616792a93727a6cf74426

SHA512
8d668a2a05bf087d2ad1ca7435e9d139a3746cefdaacca747858a9a607ea6a05edacae0fd1367db63a7fae1aafd40350b04f7892766d6dded9451ec5a1f1fc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Mega_joiner.exe
Filesize
1.3MB

MD5
5c6c6515901d648f718dc214425fef25

SHA1
5491dd6c039724f3b36483c1b9d26e0d15e037e7

SHA256
d28d3aeb4cfb449eba55f4f7185a6005f11c8567e30bd06f23e31f11de576bcb

SHA512
aaff91203233e1536292c538c43ab791975f7fae011838ab89af46392b21688b92e61ec65b178ffe1013be65b88084af81c025c33334edb033eed451d2d2d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Mega_joiner.exe
Filesize
1.3MB

MD5
5c6c6515901d648f718dc214425fef25

SHA1
5491dd6c039724f3b36483c1b9d26e0d15e037e7

SHA256
d28d3aeb4cfb449eba55f4f7185a6005f11c8567e30bd06f23e31f11de576bcb

SHA512
aaff91203233e1536292c538c43ab791975f7fae011838ab89af46392b21688b92e61ec65b178ffe1013be65b88084af81c025c33334edb033eed451d2d2d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mega_Joiner.exe
Filesize
597KB

MD5
2e874400c7e89085a55f8f7ec8610563

SHA1
b86ac72f56330ee8f561bea92e4a39d3cc0eb6c3

SHA256
4eaf17b2e390f19f8ba65a63c6fac7f6a30778160dceecfdcfd48ea5181a4af4

SHA512
33e96bba357d27dbc76b61e6f3689e32e11f940412b8e812bb6fb7338d79a11d529657ab3d1ea9a12e48a448dbdb6ab72e4f7c3a8516e26c07ede582ca986f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mega_joiner.exe
Filesize
597KB

MD5
2e874400c7e89085a55f8f7ec8610563

SHA1
b86ac72f56330ee8f561bea92e4a39d3cc0eb6c3

SHA256
4eaf17b2e390f19f8ba65a63c6fac7f6a30778160dceecfdcfd48ea5181a4af4

SHA512
33e96bba357d27dbc76b61e6f3689e32e11f940412b8e812bb6fb7338d79a11d529657ab3d1ea9a12e48a448dbdb6ab72e4f7c3a8516e26c07ede582ca986f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat
Filesize
658KB

MD5
a8f3d3d7bf0fe7e2f867af1e67842774

SHA1
fe18117748d89aa8fb12ea2360da5ad605ef246e

SHA256
b9d5d04781ccdb8ecfd35744ecb90b5f49aaf77533b4272dbf0346c0ce31500e

SHA512
976947b11b2d089fbdb4b84f6a2a207f581a0fb892dfa3c97ce09f6c7adc4e689e7904f8e88e20f2e2fea722488b7ede64d84590ee0794a0287c03b40bfba080

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup v1.1.bat
Filesize
658KB

MD5
a8f3d3d7bf0fe7e2f867af1e67842774

SHA1
fe18117748d89aa8fb12ea2360da5ad605ef246e

SHA256
b9d5d04781ccdb8ecfd35744ecb90b5f49aaf77533b4272dbf0346c0ce31500e

SHA512
976947b11b2d089fbdb4b84f6a2a207f581a0fb892dfa3c97ce09f6c7adc4e689e7904f8e88e20f2e2fea722488b7ede64d84590ee0794a0287c03b40bfba080

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
a8f3d3d7bf0fe7e2f867af1e67842774

SHA1
fe18117748d89aa8fb12ea2360da5ad605ef246e

SHA256
b9d5d04781ccdb8ecfd35744ecb90b5f49aaf77533b4272dbf0346c0ce31500e

SHA512
976947b11b2d089fbdb4b84f6a2a207f581a0fb892dfa3c97ce09f6c7adc4e689e7904f8e88e20f2e2fea722488b7ede64d84590ee0794a0287c03b40bfba080

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
Filesize
658KB

MD5
a8f3d3d7bf0fe7e2f867af1e67842774

SHA1
fe18117748d89aa8fb12ea2360da5ad605ef246e

SHA256
b9d5d04781ccdb8ecfd35744ecb90b5f49aaf77533b4272dbf0346c0ce31500e

SHA512
976947b11b2d089fbdb4b84f6a2a207f581a0fb892dfa3c97ce09f6c7adc4e689e7904f8e88e20f2e2fea722488b7ede64d84590ee0794a0287c03b40bfba080

Download Submit
C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe
Filesize
22KB

MD5
f4c992ca784fbb3688497ff049bc00ba

SHA1
965223a994d4b23fb763a0e0edd63a14e9cd3fbd

SHA256
4a944bd3b9a78bb4c55d01e0d7ed2b16ea7a47e9bb07f3859b1e1afc6f847e86

SHA512
2851d6be2321addef52121d066dc1b7adf34c7800711f9f7cae98d6541ff350ba79500b3603a5d6fdec181fba33ad1ecdace76e9064cdb14980231e84fb21b41

Download Submit
C:\Users\Admin\Desktop\._cache_FreeBLASTHACK3.exe
Filesize
22KB

MD5
f4c992ca784fbb3688497ff049bc00ba

SHA1
965223a994d4b23fb763a0e0edd63a14e9cd3fbd

SHA256
4a944bd3b9a78bb4c55d01e0d7ed2b16ea7a47e9bb07f3859b1e1afc6f847e86

SHA512
2851d6be2321addef52121d066dc1b7adf34c7800711f9f7cae98d6541ff350ba79500b3603a5d6fdec181fba33ad1ecdace76e9064cdb14980231e84fb21b41

Download Submit
C:\Users\Admin\Desktop\FreeBLASTHACK3.exe
Filesize
22KB

MD5
f4c992ca784fbb3688497ff049bc00ba

SHA1
965223a994d4b23fb763a0e0edd63a14e9cd3fbd

SHA256
4a944bd3b9a78bb4c55d01e0d7ed2b16ea7a47e9bb07f3859b1e1afc6f847e86

SHA512
2851d6be2321addef52121d066dc1b7adf34c7800711f9f7cae98d6541ff350ba79500b3603a5d6fdec181fba33ad1ecdace76e9064cdb14980231e84fb21b41

Download Submit
C:\Users\Admin\Desktop\FreeBLASTHACK3.exe
Filesize
22KB

MD5
f4c992ca784fbb3688497ff049bc00ba

SHA1
965223a994d4b23fb763a0e0edd63a14e9cd3fbd

SHA256
4a944bd3b9a78bb4c55d01e0d7ed2b16ea7a47e9bb07f3859b1e1afc6f847e86

SHA512
2851d6be2321addef52121d066dc1b7adf34c7800711f9f7cae98d6541ff350ba79500b3603a5d6fdec181fba33ad1ecdace76e9064cdb14980231e84fb21b41

Download Submit
C:\Users\Admin\Desktop\FreeBLASTHACK3.exe
Filesize
775KB

MD5
f0ea52891c76f6bd1c43cf21eb8aed6f

SHA1
484e13f58d40566ad49e3b74c97afbc72449c749

SHA256
44e5fb0655ae952c2d9fd8b13e752e49f5ce35aff92fd5800cdf13f7181d7fe1

SHA512
1c13c6d23e5f9d3206c03996a2463c2016ff4e7d07d48075d075c07cb8f56e0955f3efff59c28c84e8e06fd7fd72b69fd5b744d579bed987c3fbf5a11c0f37b2

Download Submit
C:\Users\Admin\Desktop\FreeBLASTHACK3.exe
Filesize
775KB

MD5
f0ea52891c76f6bd1c43cf21eb8aed6f

SHA1
484e13f58d40566ad49e3b74c97afbc72449c749

SHA256
44e5fb0655ae952c2d9fd8b13e752e49f5ce35aff92fd5800cdf13f7181d7fe1

SHA512
1c13c6d23e5f9d3206c03996a2463c2016ff4e7d07d48075d075c07cb8f56e0955f3efff59c28c84e8e06fd7fd72b69fd5b744d579bed987c3fbf5a11c0f37b2

Download Submit
\??\pipe\crashpad_2252_GZOJCVLJOLIWGMJE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/616-219-0x0000000000000000-mapping.dmp

Download
memory/1076-215-0x0000000000000000-mapping.dmp

Download
memory/1120-135-0x0000000000000000-mapping.dmp

Download
memory/1400-228-0x0000000000000000-mapping.dmp

Download
memory/1404-220-0x0000000000000000-mapping.dmp

Download
memory/1496-265-0x0000022BB3260000-0x0000022BB32A0000-memory.dmp

Filesize
256KB

Download
memory/1496-256-0x0000000000000000-mapping.dmp

Download
memory/1528-250-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-241-0x0000000000710000-0x0000000000724000-memory.dmp

Filesize
80KB

Download
memory/1528-263-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-262-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-261-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-249-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-247-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1528-244-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/1528-243-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1528-264-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-239-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1528-238-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1528-237-0x00000001402E255C-mapping.dmp

Download
memory/1528-236-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/1528-260-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-251-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-252-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1528-259-0x0000000000000000-0x0000000001200000-memory.dmp

Filesize
18.0MB

Download
memory/1604-229-0x0000000000000000-mapping.dmp

Download
memory/1820-138-0x0000000000000000-mapping.dmp

Download
memory/1932-258-0x0000000000000000-mapping.dmp

Download
memory/2076-235-0x0000000000000000-mapping.dmp

Download
memory/2076-242-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/2076-246-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/2112-205-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/2112-214-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/2112-146-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2112-245-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2112-191-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/2112-193-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/2112-192-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/2112-210-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/2112-212-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2112-213-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/2112-187-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2112-200-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/2112-141-0x0000000000000000-mapping.dmp

Download
memory/2112-152-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2112-195-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/2112-202-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/2240-144-0x0000000000000000-mapping.dmp

Download
memory/2560-151-0x0000000000000000-mapping.dmp

Download
memory/2624-254-0x0000000000000000-mapping.dmp

Download
memory/3172-232-0x000000001FD40000-0x000000001FD52000-memory.dmp

Filesize
72KB

Download
memory/3172-233-0x000000001FD60000-0x000000001FD6A000-memory.dmp

Filesize
40KB

Download
memory/3172-226-0x0000000000000000-mapping.dmp

Download
memory/3172-240-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/3172-231-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/3196-223-0x0000000000000000-mapping.dmp

Download
memory/3396-217-0x0000000000000000-mapping.dmp

Download
memory/3428-148-0x0000000000000000-mapping.dmp

Download
memory/3560-221-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/3560-227-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/3560-216-0x0000000000000000-mapping.dmp

Download
memory/3560-218-0x00000000009E0000-0x0000000001B78000-memory.dmp

Filesize
17.6MB

Download
memory/3712-222-0x0000000000000000-mapping.dmp

Download
memory/3736-163-0x0000000000000000-mapping.dmp

Download
memory/4100-166-0x0000000000000000-mapping.dmp

Download
memory/4128-248-0x0000000000000000-mapping.dmp

Download
memory/4344-145-0x0000000000000000-mapping.dmp

Download
memory/4388-147-0x0000000000000000-mapping.dmp

Download
memory/4516-132-0x0000000000000000-mapping.dmp

Download
memory/4520-234-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/4520-224-0x0000000000000000-mapping.dmp

Download
memory/4520-225-0x0000000000D50000-0x0000000000D56000-memory.dmp

Filesize
24KB

Download
memory/4520-230-0x00007FFCF8570000-0x00007FFCF9031000-memory.dmp

Filesize
10.8MB

Download
memory/4880-253-0x0000000000000000-mapping.dmp

Download
memory/4976-143-0x0000000000000000-mapping.dmp

Download
memory/5016-201-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-175-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-176-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-179-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-177-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-211-0x0000000003650000-0x0000000003653000-memory.dmp

Filesize
12KB

Download
memory/5016-174-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-173-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-172-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-209-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-171-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-206-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-170-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-169-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-168-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-208-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-207-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-167-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/5016-204-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-203-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-180-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-198-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-199-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-197-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-196-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-194-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-190-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-189-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-182-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-183-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-186-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-185-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/5016-184-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/5016-181-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download