Malware Analysis Report

2025-06-16 04:57

Sample ID 230317-v7prfshd26
Target file.exe
SHA256 ccd1cde08e07f3be31008ea2b7ace4190317f179c3a75e0b9e88670aa70626cb
Tags
laplas clipper discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccd1cde08e07f3be31008ea2b7ace4190317f179c3a75e0b9e88670aa70626cb

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper discovery persistence spyware stealer

Laplas Clipper

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

GoLang User-Agent

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 17:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 17:38

Reported

2023-03-17 17:40

Platform

win7-20230220-en

Max time kernel

134s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 632 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 632 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 632 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1756 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
PID 1756 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
PID 1756 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
PID 1756 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
PID 1928 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1928 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1928 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1928 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe

"C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
LV 45.87.154.30:80 45.87.154.30 tcp
N/A 185.119.196.167:80 185.119.196.167 tcp
LV 45.87.154.105:80 45.87.154.105 tcp

Files

memory/1992-55-0x00000000002A0000-0x00000000002B5000-memory.dmp

memory/1992-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1992-106-0x0000000000400000-0x0000000002AFB000-memory.dmp

memory/1992-115-0x0000000000400000-0x0000000002AFB000-memory.dmp

memory/1992-124-0x0000000000400000-0x0000000002AFB000-memory.dmp

\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

memory/1928-129-0x0000000002020000-0x00000000021CA000-memory.dmp

memory/1928-130-0x00000000021D0000-0x00000000025A0000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 dccdb86427b178939198ae966505ead9
SHA1 092f5380fc345721367cc2edfe21a3bd3f2ace18
SHA256 2eddde87be5e063b678e444eb874fdc8be1069b53a9a7b2e69a332f5c4f8e56c
SHA512 d6b090a971ece58ba3fd64733d569f22949c197cf392ef8c032aeed4ade3cd396c3443dcce9f2f7e5e8f5265d8935e67e87d183aa4ff37130ae357b9929211e4

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 48f0cc71200a739c01a4bd5ad4f77220
SHA1 28888d8e522a81481ad6faa634ea54b67947364a
SHA256 48656b19b71b535a0358a17a437250e0ea37daa3658ad054d632caa7eb9f7368
SHA512 d2160d2b4236d789ced239d9f079d00a57d97ac8e2ace69733fdbc249c5a508c4910edf0db5bf7405f655821629871acb4c92efe384b38b244f01936870fced4

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 5ee1ce178fc66274194fa269c2a40415
SHA1 10a3ef8222529c0192e4abe25fec71d7edda20a1
SHA256 a8075acb48c453e6b8bc7f06387a45883dad577305dd2a89aa8734135bfa1a8d
SHA512 bdea9f6dc55418156c1c8786e7bde050a17b38e400de90557e399c28865419d2157b504704596a73002725a0fd4e4c5dffea0bc509cd9103e9f62007bb62bb54

memory/1928-139-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 8283783bcca6c637ace3df0c28f4780f
SHA1 19f773bf796eae1376f349f4a5ffaec800bb8291
SHA256 57fa5992d5bdf744b355102aeb58798ea669291a6c8b135b3e5c28e4854959d9
SHA512 401040ef31c9ee169706fdbc4bc2e787ce3053679214a79bdf606c7866245497054b6edfd12bfd40a42b1d1fcbc03f679e73f2fb8be94482462e48c7481f457c

memory/1928-140-0x00000000021D0000-0x00000000025A0000-memory.dmp

memory/756-141-0x00000000021A0000-0x000000000234A000-memory.dmp

memory/756-142-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-143-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-144-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-147-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-148-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-149-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-150-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-151-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-152-0x0000000000400000-0x0000000000803000-memory.dmp

memory/756-153-0x0000000000400000-0x0000000000803000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-17 17:38

Reported

2023-03-17 17:40

Platform

win10v2004-20230221-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\file.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4968 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4968 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 448 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
PID 448 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
PID 448 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
PID 1908 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1908 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1908 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2564 -ip 2564

C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe

"C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 2284

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
LV 45.87.154.30:80 45.87.154.30 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 30.154.87.45.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
N/A 185.119.196.167:80 185.119.196.167 tcp
US 8.8.8.8:53 167.196.119.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.189.173.10:443 tcp
LV 45.87.154.105:80 45.87.154.105 tcp
US 8.8.8.8:53 105.154.87.45.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp

Files

memory/2564-134-0x0000000004840000-0x0000000004855000-memory.dmp

memory/2564-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe

MD5 d433fee70e60de32de4608f07bed7d2a
SHA1 8b84224c8319705317340392ad99bc529183a7db
SHA256 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512 ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

memory/1908-214-0x0000000002810000-0x0000000002BE0000-memory.dmp

memory/2564-215-0x0000000000400000-0x0000000002AFB000-memory.dmp

memory/1908-217-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e0bfbe15e46cea779c24009b69fb4a75
SHA1 d9b919358c54365f092b939137bfc5b266fd3759
SHA256 2a20a959bbe9fd0eb2d44a0d268ed8619dfee735a6a214a3b20cdf53f9f71562
SHA512 331dd86219e57e05b8c234a597107d8d2df90ae989649d207a70f8ab5e0f815848a37687c472430ed3ec918ebc883eb85221820145e21a0e6d43be6bd1384103

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e2e50ac1922cc98da8b08ffa2279f15a
SHA1 c70e2f5018f4fe4e30bbaf84414732380e8dadbe
SHA256 2fcc9d972e19d33436a05afc19b2bd1b502e8193179317bc1f3c8abae336da52
SHA512 c72f576cb007fc31c2aa722fd8a7eb441952ff96c3ac959200b4717b0e0fdb116bf1002a65454e8827b14f864c189c0d6bd7a4ec05bec89cfe9d6cd06a5be1bf

memory/1908-220-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 bb0c13f605cfe5ec08ddae9c2dff2833
SHA1 e639dc7fe022c74999f667782209acce77743624
SHA256 735699bae2c3d0ba49c014c8c29d67a87f4cca3b4c3baa4b5bfa09f1646b572f
SHA512 90c8997153ff5f349e8196309d12b6c95f1df2c84d64db35456a192c455a2d34c77e75a3e24878336f8361f4decacab96b6d0709ffb6545dc1c976fb1c5e99ab

memory/3176-223-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-224-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-225-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-227-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-228-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-229-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-230-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-231-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-232-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-233-0x0000000000400000-0x0000000000803000-memory.dmp

memory/3176-234-0x0000000000400000-0x0000000000803000-memory.dmp