raccoon | 7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2

Analysis

max time kernel
80s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-03-2022 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe
Size

7.5MB
MD5

880fb4689a9b08d4c3e7e2c432608949
SHA1

beecf5c8ff73c04a0ac94a47cab805876c7fbadf
SHA256

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2
SHA512

8341a4320428f64795b3b2a4171e852a1e894dbf9999c3f43db40198e0ea6330226d9d6377efcf3cf6c18a1c3e7d922946707c7bfc8a92908db3dccd476f9bbf

Score

10^/10

raccoon 5eaa41b3101d5537f786a35da1878f0d1d760e53 discovery evasion stealer themida trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.1-hotfix

Botnet

5eaa41b3101d5537f786a35da1878f0d1d760e53

Attributes

url4cnc
https://telete.in/jbitchsucks

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4328-235-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4328-237-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4328-239-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/4328-241-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Drops file in Drivers directory 1 IoCs

Processes:

Malwarebytes Premium 4.1.0 64 bit Silent.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat Malwarebytes Premium 4.1.0 64 bit Silent.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	Malwarebytes Premium 4.1.0 64 bit Silent.exe

Executes dropped EXE 17 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmpMalwarebytes Premium 4.1.0 64 bit Silent.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetcblaunch.exetcblaunch.exetcblaunch.exe

pid	process
1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
4444	Malwarebytes Premium 4.1.0 64 bit Silent.exe
3700	7z.exe
4612	7z.exe
1148	7z.exe
1288	7z.exe
3328	7z.exe
4012	7z.exe
564	7z.exe
3560	7z.exe
1264	7z.exe
912	7z.exe
3684	7z.exe
2036	7z.exe
4592	tcblaunch.exe
1748	tcblaunch.exe
4328	tcblaunch.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tcblaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tcblaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tcblaunch.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmpWScript.exetcblaunch.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	tcblaunch.exe

Loads dropped DLL 13 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
3700	7z.exe
4612	7z.exe
1148	7z.exe
1288	7z.exe
3328	7z.exe
4012	7z.exe
564	7z.exe
3560	7z.exe
1264	7z.exe
912	7z.exe
3684	7z.exe
2036	7z.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe	themida
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe	themida
behavioral2/memory/1748-229-0x0000000000A80000-0x0000000000E8E000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tcblaunch.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tcblaunch.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tcblaunch.exe

description pid process target process

PID 1748 set thread context of 4328 1748 tcblaunch.exe tcblaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcblaunch.exe

description	pid	process	target process
PID 1748 set thread context of 4328	1748	tcblaunch.exe	tcblaunch.exe

Drops file in Program Files directory 3 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmpMalwarebytes Premium 4.1.0 64 bit Silent.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Malwarebytes Premium 4.1.0 64 bit Silent.exe	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
File created	C:\Program Files (x86)\is-PF7D2.tmp	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
File created	C:\Program Files (x86)\mbamtestfile.dat	Malwarebytes Premium 4.1.0 64 bit Silent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4856 4328 WerFault.exe tcblaunch.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3512 timeout.exe

pid	pid_target	process	target process
4856	4328	WerFault.exe	tcblaunch.exe

pid	process
3512	timeout.exe

Modifies registry class 1 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmppowershell.exepowershell.exepowershell.exe

pid	process
1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
3096	powershell.exe
3096	powershell.exe
2632	powershell.exe
2632	powershell.exe
2064	powershell.exe
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

powershell.exepowershell.exepowershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetcblaunch.exe

description	pid	process
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeRestorePrivilege	3700	7z.exe
Token: 35	3700	7z.exe
Token: SeSecurityPrivilege	3700	7z.exe
Token: SeSecurityPrivilege	3700	7z.exe
Token: SeRestorePrivilege	4612	7z.exe
Token: 35	4612	7z.exe
Token: SeSecurityPrivilege	4612	7z.exe
Token: SeSecurityPrivilege	4612	7z.exe
Token: SeRestorePrivilege	1148	7z.exe
Token: 35	1148	7z.exe
Token: SeSecurityPrivilege	1148	7z.exe
Token: SeSecurityPrivilege	1148	7z.exe
Token: SeRestorePrivilege	1288	7z.exe
Token: 35	1288	7z.exe
Token: SeSecurityPrivilege	1288	7z.exe
Token: SeSecurityPrivilege	1288	7z.exe
Token: SeRestorePrivilege	3328	7z.exe
Token: 35	3328	7z.exe
Token: SeSecurityPrivilege	3328	7z.exe
Token: SeSecurityPrivilege	3328	7z.exe
Token: SeRestorePrivilege	4012	7z.exe
Token: 35	4012	7z.exe
Token: SeSecurityPrivilege	4012	7z.exe
Token: SeSecurityPrivilege	4012	7z.exe
Token: SeRestorePrivilege	564	7z.exe
Token: 35	564	7z.exe
Token: SeSecurityPrivilege	564	7z.exe
Token: SeSecurityPrivilege	564	7z.exe
Token: SeRestorePrivilege	3560	7z.exe
Token: 35	3560	7z.exe
Token: SeSecurityPrivilege	3560	7z.exe
Token: SeSecurityPrivilege	3560	7z.exe
Token: SeRestorePrivilege	1264	7z.exe
Token: 35	1264	7z.exe
Token: SeSecurityPrivilege	1264	7z.exe
Token: SeSecurityPrivilege	1264	7z.exe
Token: SeRestorePrivilege	912	7z.exe
Token: 35	912	7z.exe
Token: SeSecurityPrivilege	912	7z.exe
Token: SeSecurityPrivilege	912	7z.exe
Token: SeRestorePrivilege	2036	7z.exe
Token: 35	2036	7z.exe
Token: SeSecurityPrivilege	2036	7z.exe
Token: SeSecurityPrivilege	2036	7z.exe
Token: SeDebugPrivilege	1748	tcblaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp

pid process

1524 7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmpWScript.execmd.execmd.execmd.exetcblaunch.exetcblaunch.exe

description	pid	process	target process
PID 1812 wrote to memory of 1524	1812	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
PID 1812 wrote to memory of 1524	1812	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
PID 1812 wrote to memory of 1524	1812	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
PID 1524 wrote to memory of 3900	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	WScript.exe
PID 1524 wrote to memory of 3900	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	WScript.exe
PID 1524 wrote to memory of 3900	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	WScript.exe
PID 1524 wrote to memory of 4444	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	Malwarebytes Premium 4.1.0 64 bit Silent.exe
PID 1524 wrote to memory of 4444	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	Malwarebytes Premium 4.1.0 64 bit Silent.exe
PID 1524 wrote to memory of 4444	1524	7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp	Malwarebytes Premium 4.1.0 64 bit Silent.exe
PID 3900 wrote to memory of 3276	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 3276	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 3276	3900	WScript.exe	cmd.exe
PID 3276 wrote to memory of 3096	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 3096	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 3096	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2632	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2632	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2632	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2064	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2064	3276	cmd.exe	powershell.exe
PID 3276 wrote to memory of 2064	3276	cmd.exe	powershell.exe
PID 3900 wrote to memory of 4120	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 4120	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 4120	3900	WScript.exe	cmd.exe
PID 4120 wrote to memory of 3532	4120	cmd.exe	mode.com
PID 4120 wrote to memory of 3532	4120	cmd.exe	mode.com
PID 4120 wrote to memory of 3532	4120	cmd.exe	mode.com
PID 3900 wrote to memory of 3824	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 3824	3900	WScript.exe	cmd.exe
PID 3900 wrote to memory of 3824	3900	WScript.exe	cmd.exe
PID 3824 wrote to memory of 3512	3824	cmd.exe	timeout.exe
PID 3824 wrote to memory of 3512	3824	cmd.exe	timeout.exe
PID 3824 wrote to memory of 3512	3824	cmd.exe	timeout.exe
PID 4120 wrote to memory of 3700	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3700	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 4612	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 4612	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1148	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1148	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1288	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1288	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3328	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3328	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 4012	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 4012	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 564	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 564	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3560	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3560	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1264	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 1264	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 912	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 912	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3684	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 3684	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 2036	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 2036	4120	cmd.exe	7z.exe
PID 4120 wrote to memory of 4592	4120	cmd.exe	tcblaunch.exe
PID 4120 wrote to memory of 4592	4120	cmd.exe	tcblaunch.exe
PID 4120 wrote to memory of 4592	4120	cmd.exe	tcblaunch.exe
PID 4592 wrote to memory of 1748	4592	tcblaunch.exe	tcblaunch.exe
PID 4592 wrote to memory of 1748	4592	tcblaunch.exe	tcblaunch.exe
PID 4592 wrote to memory of 1748	4592	tcblaunch.exe	tcblaunch.exe
PID 1748 wrote to memory of 4328	1748	tcblaunch.exe	tcblaunch.exe

C:\Users\Admin\AppData\Local\Temp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe
"C:\Users\Admin\AppData\Local\Temp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\is-5M2R0.tmp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5M2R0.tmp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp" /SL5="$70054,7173416,834048,C:\Users\Admin\AppData\Local\Temp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\wCwNSyD22Uksbp\ixcLgxxLfwFRPQSfOSsbHMgc.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wCwNSyD22Uksbp\laTzTcsRWcJgdqroqdsOChZV.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\Temp
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:USERPROFILE\AppData
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wCwNSyD22Uksbp\main.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:3532

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e file.zip -p___________32040pwd16537pwd26539___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_11.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_10.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3684

C:\ProgramData\wCwNSyD22Uksbp\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\ProgramData\wCwNSyD22Uksbp\tcblaunch.exe
"tcblaunch.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe" /verysilent
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe"
7⤵
- Executes dropped EXE
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 596
8⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\wCwNSyD22Uksbp\wEcqkfyUaOggTEsEsLOhDuMG.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:3512

C:\Program Files (x86)\Malwarebytes Premium 4.1.0 64 bit Silent.exe
"C:\Program Files (x86)\Malwarebytes Premium 4.1.0 64 bit Silent.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4328 -ip 4328
1⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Malwarebytes Premium 4.1.0 64 bit Silent.exe
MD5
bab3282a9dd117d140ab6f379a0e5604

SHA1
81ff5ea160bd8f5aa2a121f034e298da5844da14

SHA256
856e686ab9cb00abb31702c805b7497ee38b7ff35f3d44d623c890c5508a5854

SHA512
46ce916a6aed7ebe4a26002ed78100d2418ed9ce9fa4b052a28ccb835c47883d99baeca64f65ead79d614f2bcb41e3589bdc51a9ce99b9b0f62206b2cc547c72

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\ANTIAV~1.DAT
MD5
8ed242bc884f336610120b111a85f309

SHA1
3ffc9aa9832bf31cc7c47480b6892bf55a3db76a

SHA256
adc7cbab3def0c78aefaf1434d6e7630e0219377dfe803fc362d943690290a95

SHA512
f9ca0995eaf98c3df958a7cbf766c6829f043e6dbdb3ede3b5f64cd896aadff375a29821f17803b96cf51ddd3cd519f53da7649c25d513d1d3c540f9dd270d34

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_10.zip
MD5
a7df7592029db0893b3a56b98dff28b9

SHA1
e2b4b83fe97224d52304d9fa4a1be4f6e6b8c62c

SHA256
ad6b7dc90028d75f316b18b7ae155e4f4c74cb1a69bce16f240a01c3b6f9f515

SHA512
d4f9c0e1af26fda6259979a9d4f8a05e6110d3174ae1a064d7d3246d2e987cf08ec18ddb570a3420bc1c77c59dbdf6bcdbdc9ee6cc8c9314a531ad7e847b2729

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_11.zip
MD5
f9b92bbe4227c032796daf21cadcfb7a

SHA1
bce7fdd3de2e2e6779db55ecaae66a4da7cbeba0

SHA256
ec208534f3639e786e1dc748b093b2fa510eed5636119a1dc80a2a835bfa4a0c

SHA512
74b3b873ea013859a931d3550ce0d150d07444fcee8cef208c41b2591e6cafb825f6ecce9c0cfa81732f141508be0d7942aa3da37751687ede4f672ff1842474

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_2.zip
MD5
814a1b399c722f8845cb440d3a97d1e1

SHA1
0a47910a1c359706028ae383f6e93810624f86bf

SHA256
ac12d0ce09c37081ec20bde65062b0f80c33f7fedc043269ebd2d0b6a71944bc

SHA512
b36d1ba616d1f9de875bdf1f5995d1ab1a641c44d9839afa2db057290dfa9911c641e938f6402ec6302005220c752bf66fbcbb78638254383118de4235b85645

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_3.zip
MD5
ae170583931aef2342f0553110b54b94

SHA1
a5a04261481ccccac86dd8b575767c8d3e811f03

SHA256
5eec1d700a760167ceb2a3fad2ad0e01f5cb27df27ba3e6caa9f7dcf40713fdc

SHA512
14b545d714dce63352e51602bc92b644ae63779aea376de645e6bbd2ebcbf1cbbd3724c0af7d803f8d974e66172314cd2eb0a355ca1b440cae55a23ebaa65832

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_4.zip
MD5
562e11b48b56fda56c303c0d5f140c29

SHA1
1dde69dd5af583a6b0142021e9c0fc272634dd50

SHA256
5c1212b7c2acb38015307567b416a8ab722d5aa744958a24eaa30778241d15d6

SHA512
64d55c6425bc9ad275b371de711fd9f5684fe27afa74bcaf0d44787fe68317f1922f5f0e4e4877d47624b6aa4b984b777ca58e95fe3b08de1ea2ddeb221cbbed

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_5.zip
MD5
6d58c54020369dadacdb0e8369f93523

SHA1
3f851041c73bf74bd4e161308985adb3aafc243b

SHA256
9b2bcb2a4aed810b57c55d0ee47be606e826afb1c5f72e7e6ea1d981196703a2

SHA512
d3609247acf6e8c74859919b61edd7531d24f135e548b1c9af82ad2fc5e19c122c5ef5cc985f47e49dd03acacae39fe98537d6d33c3203bcb871705e97bbf9a3

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_6.zip
MD5
e0d0c82ed96a41c7e3450bb5519bb686

SHA1
9a6615e181e45bb40adea9ffbb19b11fd3e1c9e6

SHA256
aa3ff0b7cf809826fffd861658a7fedb36d57219deb1311bc97810b61cf47632

SHA512
754e4ebec6e4787f41e0e267966a8399cc2f617ca0dcceead83821aa32cdecf492b5137bcb8acc1b3fcf51e044a513d7ba65cc0f04052217b2ecc57fa7293cdf

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_7.zip
MD5
e6c1d3ec9647416d6994f5f768ffccc2

SHA1
f98af4d4d3101294fc5732efb83fa97b03257f52

SHA256
cc9df7b357353cc0f382bdaa97f4d821e96943c9d6b55610ae736d59104f6093

SHA512
da0f7a69ca13f89cd8eefe41a4bed754910f67cb730862bf56199f908c5acb79a9cd987e0a53a99ec097c7227e4af15ddcf8331a182c4dd8facbe35335519c94

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_8.zip
MD5
112420d3aa5c11589ea15ce03b460807

SHA1
eeafacbc4d73f205d8fda507b6a466c047c69de7

SHA256
d1ddf63176769f48b1d992104a62f9bc92481c69e09b84001b29359ad6046b7c

SHA512
d115a82eab32617564999c013de67c430103b63cac8915aa3c838171a8e7485943fb298668c7bf2d4d6f27654cf1b9356792fea629ff1b4cc247515a88feeef7

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\file_9.zip
MD5
b70dc6a494acede2671607df5ff895ec

SHA1
34bb585735a5575a9c744ad4a55b879f3ab590f5

SHA256
cc8fb19cae0dc9c78d064e7c6f447a64a876593ab2297273db721ee8a73bacda

SHA512
b71bca995ddd15808b7521590ed8a42bbb3051f93528095f21ac78d6658c21b4419b805ca367d53dcf18246af06507a0142d1d70137fc06b4671882452bee5f0

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\extracted\tcblaunch.exe
MD5
b762d89f0cde9210d3448cc149d8c5db

SHA1
0d5c57fd9c0571a3ab7cab94ce43b680c44dfbf2

SHA256
d56cf2e5532bdf65a7b5b51c65f1574d566b23a8b717a7d5eae134298fa646bf

SHA512
eec74a6bbc1cab0788549e97e4b9ce15e42f88c4be8ac0c373cf179a4ee2d9cdf21464cd7def3df307d9ba0a596fbe6add68f0847a751d083fabb654d84958be

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\file.bin
MD5
41c5b35050fc2c1dd7cc90dc0532e60a

SHA1
1e0a82821b77dea0cd5529d40079b48a031f3af3

SHA256
867a26e02a868c70ec2479b13bcf9a0efd14e0320ca0865d85a752c87996642c

SHA512
4a639a9dfd32f162f5e00b7e15a4bfe0773f1a928fbd82747aec3d0b1fc610ba5f946c061aa424b032868df7c4ce5bd83fba896767353af08332b8fc9dad7b60

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\ixcLgxxLfwFRPQSfOSsbHMgc.vbs
MD5
c2bcf560fed9f1f83256aabffadc0adc

SHA1
7e5065e28fc1f8d3d2a62910f655b297a35a56fc

SHA256
2c5dc05ac235ff925ae8f6187d93fe1aa41cba38c4a599022cc5197cf5498645

SHA512
b8e493e8b17b25ab5128a0d47f5dc29c8598685bf38afa5411d720e2d292c3f357ca4f1b6e71822f5f76fffcbcf229bceb01da1dadb7b2d78ac48a5ecfdf390d

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\laTzTcsRWcJgdqroqdsOChZV.bat
MD5
0d73a4434862a8fc0346f17dd675a43e

SHA1
214a87285895a8b4cfee373c6451ae20e120cc6e

SHA256
8054161766b2dd9e0dd1e06ed7b1a7187f5bc12ece81d3fb03255a31f24e52aa

SHA512
d01d40df63766c136ed4a42034a43654d7fbf144577c18a987cf8564a745db6da960f8d037649d478bc13c78e77cfa38d030a4479a6f0fcd8ec3666f617458a4

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\main.bat
MD5
5829ea8d44c7266e61e85a0fd257aa18

SHA1
474ef62f37bee378e3b44ccd02161a36955a2c1f

SHA256
4fcc84fa5a8c9d1d5e782f4018659eef6aaaff3c84e6228ff72fc98a140a86dc

SHA512
d2feb23c23bf276c02499038a4acd0768e389aa9af8d720938eb77d21c306b0a4f22d967477979a7228dfa5ca02029f260f49ab8dd6b440c7a1c8cac904f180a

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\tcblaunch.exe
MD5
b762d89f0cde9210d3448cc149d8c5db

SHA1
0d5c57fd9c0571a3ab7cab94ce43b680c44dfbf2

SHA256
d56cf2e5532bdf65a7b5b51c65f1574d566b23a8b717a7d5eae134298fa646bf

SHA512
eec74a6bbc1cab0788549e97e4b9ce15e42f88c4be8ac0c373cf179a4ee2d9cdf21464cd7def3df307d9ba0a596fbe6add68f0847a751d083fabb654d84958be

Download Submit
C:\ProgramData\wCwNSyD22Uksbp\wEcqkfyUaOggTEsEsLOhDuMG.bat
MD5
9132ee3e42ac66c66672ee4ae9dcff78

SHA1
80c8e3bfd4e1147375c883652739ba29c5eed1b7

SHA256
00ca8f6af112e16c5b2bfd50354165a2bae2dfa577ced06091fb8852994079b9

SHA512
170430868161df0195d1f68e938668d6962af3f4d4626fc8ea6d91b6a2d2e3522dab28d039590952f37729f4792103500caccbfe3a847ef098d4250f34cedbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0ba6377808646b57131f15d3140776b2

SHA1
b62d4ebc1740343757cdb957ab4aa4913259fa7e

SHA256
a0c532f2153741a1e1544a9115cb7dc4042287dca47f6a64477682eaf0e85bf9

SHA512
f5871abdff278f55387046709aa08f913932183f2faa7ca366f5c7de6f6e48fedafa54af4108284f1aad2ce8e673750e81aac0f5838f8af7fdd4c94c14f08c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c1ffe3c201441e454e03f099c2897fca

SHA1
c2e239ede63a522c00f6e059aba9414abc92767f

SHA256
b3a1434e2895244afa9d82c6240068b90c49a147080ce0922c719d9aed5fea11

SHA512
c2e42f0329af5e54b2fa512a7475b2d2a768312c0ef441a58c2642c3d658a1ada521dbef7389af866b555ccacb5ca9e2d0a2e08351b5b0cf5ab59981d4f7a3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe
MD5
141975f2e264573e83c8dae833e6c257

SHA1
2f293916f7ca303fb4597f9ce87ab193bff7ec46

SHA256
42eee5c52a0dad1008b83ea77f4204d37627bbb0e28109713ce827ed0d2258fe

SHA512
392244aca27eb0dc34712f6baf4235aadce59a76680420533926724b4c71280822d69d71641e47d9873d2e9a932ff8d2fecb51880648aacce5e847ff182c799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe
MD5
141975f2e264573e83c8dae833e6c257

SHA1
2f293916f7ca303fb4597f9ce87ab193bff7ec46

SHA256
42eee5c52a0dad1008b83ea77f4204d37627bbb0e28109713ce827ed0d2258fe

SHA512
392244aca27eb0dc34712f6baf4235aadce59a76680420533926724b4c71280822d69d71641e47d9873d2e9a932ff8d2fecb51880648aacce5e847ff182c799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tcblaunch.exe
MD5
141975f2e264573e83c8dae833e6c257

SHA1
2f293916f7ca303fb4597f9ce87ab193bff7ec46

SHA256
42eee5c52a0dad1008b83ea77f4204d37627bbb0e28109713ce827ed0d2258fe

SHA512
392244aca27eb0dc34712f6baf4235aadce59a76680420533926724b4c71280822d69d71641e47d9873d2e9a932ff8d2fecb51880648aacce5e847ff182c799e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5M2R0.tmp\7812e73cb8301637b765cde96a7eb583e0b879fb2a18066ea4d01c132814f6f2.tmp
MD5
49372143a797fb36e4abfad427fac2ed

SHA1
0d2f704189c78276892645e2a030647a36ca6124

SHA256
175a0887cd6970052c04ff464f0aeef1bdf1ec1d0836066c6c417c3d96f5ed96

SHA512
2377b37a5a9dfa4cdc2db071364c445b42bbbb55a336a7cab96093bf8112e0b431614cdf231f4377413b75560146af52fc013bd107708f314c6490ca08315fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UIME1.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1524-135-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1748-231-0x00000000727B0000-0x0000000072F60000-memory.dmp

Filesize
7.7MB

Download
memory/1748-219-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-233-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/1748-230-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/1748-234-0x0000000007E90000-0x0000000007F22000-memory.dmp

Filesize
584KB

Download
memory/1748-229-0x0000000000A80000-0x0000000000E8E000-memory.dmp

Filesize
4.1MB

Download
memory/1748-225-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-238-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-224-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-223-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-218-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-221-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-222-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1748-232-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1748-220-0x0000000077110000-0x0000000077200000-memory.dmp

Filesize
960KB

Download
memory/1812-134-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1812-130-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2064-169-0x00000000726B0000-0x0000000072E60000-memory.dmp

Filesize
7.7MB

Download
memory/2064-172-0x00000000050D5000-0x00000000050D7000-memory.dmp

Filesize
8KB

Download
memory/2064-171-0x00000000050D2000-0x00000000050D3000-memory.dmp

Filesize
4KB

Download
memory/2064-170-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2064-174-0x000000007F2D0000-0x000000007F2D1000-memory.dmp

Filesize
4KB

Download
memory/2064-173-0x0000000073DB0000-0x0000000073DFC000-memory.dmp

Filesize
304KB

Download
memory/2632-167-0x000000007F8D0000-0x000000007F8D1000-memory.dmp

Filesize
4KB

Download
memory/2632-166-0x00000000027F5000-0x00000000027F7000-memory.dmp

Filesize
8KB

Download
memory/2632-165-0x0000000073DB0000-0x0000000073DFC000-memory.dmp

Filesize
304KB

Download
memory/2632-164-0x00000000027F2000-0x00000000027F3000-memory.dmp

Filesize
4KB

Download
memory/2632-162-0x00000000726B0000-0x0000000072E60000-memory.dmp

Filesize
7.7MB

Download
memory/2632-163-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3096-158-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3096-151-0x0000000073F00000-0x0000000073F4C000-memory.dmp

Filesize
304KB

Download
memory/3096-140-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/3096-141-0x00000000725A0000-0x0000000072D50000-memory.dmp

Filesize
7.7MB

Download
memory/3096-142-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3096-143-0x00000000027C2000-0x00000000027C3000-memory.dmp

Filesize
4KB

Download
memory/3096-144-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/3096-145-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/3096-146-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3096-147-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/3096-149-0x000000007FB20000-0x000000007FB21000-memory.dmp

Filesize
4KB

Download
memory/3096-148-0x00000000027C5000-0x00000000027C7000-memory.dmp

Filesize
8KB

Download
memory/3096-150-0x0000000006230000-0x0000000006262000-memory.dmp

Filesize
200KB

Download
memory/3096-139-0x00000000026C0000-0x00000000026F6000-memory.dmp

Filesize
216KB

Download
memory/3096-152-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/3096-153-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/3096-154-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/3096-155-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/3096-159-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/3096-156-0x0000000007200000-0x0000000007296000-memory.dmp

Filesize
600KB

Download
memory/3096-157-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/4328-237-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4328-239-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4328-241-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4328-235-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download