laplas | 43ca13b1d4234eea47695bce03ff36180038896a84d6bd3004a2a17730c710fc

Analysis

max time kernel
113s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Size

2.3MB
MD5

623bca798c05a1e5dc5a26ff57329459
SHA1

5d3db9376a7581fad4db73b87bcf6ce555e6138b
SHA256

8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c
SHA512

1923e4bf43651cd2423275d4383b013dbbe0f05870245229d6bd6ca650c536368f44d4b72cd9ca393b4269c88f5d4954826a4d1042144c5053140f463f54032d
SSDEEP

49152:magq7j1kTKNpT+1OzKamfw3Fryxqu4m/YjsqV51RoipOm5FGWCmP9:Zgq7STKNUA7mfEO4cYjsq1RoinZCml

Score

10^/10

laplas redline 170723_rc_11 clipper evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

170723_rc_11

rcam17.tuktuk.ug:11290

Attributes

auth_value
ddbd29a91f6321652fef2b14e5ac70d5

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1988 created 1400	1988	TaskMnr.exe	18

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Octium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TaskMnr.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 3 IoCs

pid	Process
1440	Octium.exe
1988	TaskMnr.exe
1672	ntlhost.exe

Loads dropped DLL 3 IoCs

pid	Process
2928	AppLaunch.exe
2928	AppLaunch.exe
1440	Octium.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2632-68-0x0000000000090000-0x0000000000660000-memory.dmp	themida
behavioral1/memory/2632-119-0x0000000000090000-0x0000000000660000-memory.dmp	themida
behavioral1/files/0x0007000000016d41-147.dat	themida
behavioral1/files/0x0007000000016d41-149.dat	themida
behavioral1/memory/1988-151-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-152-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-155-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-156-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-157-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-158-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-159-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida
behavioral1/memory/1988-163-0x000000013F7D0000-0x000000014085B000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	Octium.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Octium.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
1440	Octium.exe
1988	TaskMnr.exe
1672	ntlhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1616	sc.exe
952	sc.exe
2656	sc.exe
1596	sc.exe
2252	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2384	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
2928	AppLaunch.exe
2928	AppLaunch.exe
1988	TaskMnr.exe
1988	TaskMnr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
Token: SeDebugPrivilege	2928	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2848	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	28
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2404	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	29
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2632 wrote to memory of 2928	2632	8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe	30
PID 2928 wrote to memory of 1440	2928	AppLaunch.exe	34
PID 2928 wrote to memory of 1440	2928	AppLaunch.exe	34
PID 2928 wrote to memory of 1440	2928	AppLaunch.exe	34
PID 2928 wrote to memory of 1440	2928	AppLaunch.exe	34
PID 2928 wrote to memory of 1988	2928	AppLaunch.exe	35
PID 2928 wrote to memory of 1988	2928	AppLaunch.exe	35
PID 2928 wrote to memory of 1988	2928	AppLaunch.exe	35
PID 2928 wrote to memory of 1988	2928	AppLaunch.exe	35
PID 1440 wrote to memory of 1672	1440	Octium.exe	36
PID 1440 wrote to memory of 1672	1440	Octium.exe	36
PID 1440 wrote to memory of 1672	1440	Octium.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe
  "C:\Users\Admin\AppData\Local\Temp\8b11bff6246c53c7a2488b7375ce50a193a3e7a01e1f9bd4856bc55d90fb9e7c.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\Octium.exe
      "C:\Users\Admin\AppData\Local\Temp\Octium.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe
      "C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2260
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1824
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1616
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2656
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1596
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2252
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1508
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#chpgfu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:880
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2384
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.0MB

MD5
e1cd1c30f4761a2bf4c878ef0a723435

SHA1
8fe5aaf4f0906bbc33c73819fd27eb838cc096e0

SHA256
b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6

SHA512
ecf459342f3d6aa775fa471e9b80d457a8a6bdaae18ffe0495fb044c1a665bd6efcfe9fbf27f8e977939797b1caff468e3b5e2a41b433f080e7b63c7fc8d32d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.0MB

MD5
e1cd1c30f4761a2bf4c878ef0a723435

SHA1
8fe5aaf4f0906bbc33c73819fd27eb838cc096e0

SHA256
b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6

SHA512
ecf459342f3d6aa775fa471e9b80d457a8a6bdaae18ffe0495fb044c1a665bd6efcfe9fbf27f8e977939797b1caff468e3b5e2a41b433f080e7b63c7fc8d32d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
9.2MB

MD5
c74b706ecaa058e6e71e7b4b64dff9df

SHA1
5fa641b867716e397c449a7eeae77e37a0c8c804

SHA256
c2520a713db1ddda557dc6d4ace41e12d02bde143df9275e5fcc48a0fea8a21f

SHA512
ab3b626c27dfaf1b991a3f2650e5c0896f248eed4b10ff903047f63fe72874229138c85615ab063904654b2abc0226ad7e7151148b09731dd761a527a8e4a591

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0cf1452a5fdb23833ada0f4b173157dd

SHA1
8151e61921c0915a107389947f0ca7fcc1306eb0

SHA256
38c0122ce73cf4e45a7811577b259b6e5fe22ee8c88a0b297611ca0ea45a1d19

SHA512
9119b8745aaf5a6ca08630b8bec3477ae65c8c0838f83fc03c897113cb81a2438682aa6ee87793e63eb3316d71cb00ad80e488dcf8369ab75fb044c0f7c85a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V2H01GKU4HYNXIMMN6SN.temp

Filesize
7KB

MD5
0cf1452a5fdb23833ada0f4b173157dd

SHA1
8151e61921c0915a107389947f0ca7fcc1306eb0

SHA256
38c0122ce73cf4e45a7811577b259b6e5fe22ee8c88a0b297611ca0ea45a1d19

SHA512
9119b8745aaf5a6ca08630b8bec3477ae65c8c0838f83fc03c897113cb81a2438682aa6ee87793e63eb3316d71cb00ad80e488dcf8369ab75fb044c0f7c85a2e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
212.6MB

MD5
c19bd988a68dcf981eaf38d02763e9e4

SHA1
69cd0ac4e679219c5684f77a414981b69a2cceee

SHA256
0994936bd7e1d101e704c737b4a53b83ce4a82087de1db40290f34a010b7e6a2

SHA512
8c66d7e551bcf791faf526591e2ea14c7975122af7d735cb3c2d757a900a19095858425fe8c871dbab7f51228b6badef960df0e9e153f0f6d8308a32641a9319

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
214.8MB

MD5
68630d0afca7b7e9b2e665cd0c150762

SHA1
ac4ca1f27f5db81fa972a911b1a9572001b2cf1c

SHA256
b5f460c8ffd69703db82d7b84402b651717dc30b45bacc471ef693807c59f92c

SHA512
bea07811d9aef0d27978487ce9170384cab6036d6222987184b95a9a491ce96bbeac4eb7b8dee7531f1ee9ccc0caaf34dea6c8da080391ec3be89b6750758984

Download Submit
\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
4.0MB

MD5
e1cd1c30f4761a2bf4c878ef0a723435

SHA1
8fe5aaf4f0906bbc33c73819fd27eb838cc096e0

SHA256
b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6

SHA512
ecf459342f3d6aa775fa471e9b80d457a8a6bdaae18ffe0495fb044c1a665bd6efcfe9fbf27f8e977939797b1caff468e3b5e2a41b433f080e7b63c7fc8d32d8

Download Submit
\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
9.2MB

MD5
c74b706ecaa058e6e71e7b4b64dff9df

SHA1
5fa641b867716e397c449a7eeae77e37a0c8c804

SHA256
c2520a713db1ddda557dc6d4ace41e12d02bde143df9275e5fcc48a0fea8a21f

SHA512
ab3b626c27dfaf1b991a3f2650e5c0896f248eed4b10ff903047f63fe72874229138c85615ab063904654b2abc0226ad7e7151148b09731dd761a527a8e4a591

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
208.8MB

MD5
de7b8edd1959835368d286b520b0a195

SHA1
29036f2516b502738f0dace952450ba7967b0e6a

SHA256
e84676d6c05991e79bd590c696d2bcb96877f70d37042f473aaa19464f30b8df

SHA512
c66e0f8942e34a70e91432384f5ee1868523d24845f498f89bbeff10f35fbf87f1fc1cb3473aa21a13433f310d9c532342e8e222a10d41f03e533b3f5396e9a3

Download Submit
memory/880-226-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/880-227-0x000007FEF4950000-0x000007FEF52ED000-memory.dmp

Filesize
9.6MB

Download
memory/880-230-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/880-231-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

Filesize
32KB

Download
memory/1332-216-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1332-218-0x00000000771D0000-0x00000000772EF000-memory.dmp

Filesize
1.1MB

Download
memory/1440-137-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-174-0x00000000286F0000-0x000000002904E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-143-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-142-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-141-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-140-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-139-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-138-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-136-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-133-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1440-160-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-161-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-162-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1440-134-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-164-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-145-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-166-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-172-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-132-0x0000000000030000-0x000000000098E000-memory.dmp

Filesize
9.4MB

Download
memory/1440-173-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1672-175-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-176-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1672-177-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-178-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-179-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-180-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-181-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-182-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-186-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-187-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1672-190-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1672-191-0x0000000000340000-0x0000000000C9E000-memory.dmp

Filesize
9.4MB

Download
memory/1988-165-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1988-151-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-156-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-155-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-154-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1988-152-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-158-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-159-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-163-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/1988-157-0x000000013F7D0000-0x000000014085B000-memory.dmp

Filesize
16.5MB

Download
memory/2260-204-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2260-205-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2260-206-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-207-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-210-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2260-209-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-212-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/2632-69-0x0000000000090000-0x0000000000660000-memory.dmp

Filesize
5.8MB

Download
memory/2632-74-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-75-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/2632-68-0x0000000000090000-0x0000000000660000-memory.dmp

Filesize
5.8MB

Download
memory/2632-54-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-53-0x0000000000090000-0x0000000000660000-memory.dmp

Filesize
5.8MB

Download
memory/2632-55-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-56-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-72-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-73-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-57-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-58-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-62-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/2632-71-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-60-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-120-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/2632-119-0x0000000000090000-0x0000000000660000-memory.dmp

Filesize
5.8MB

Download
memory/2632-118-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-65-0x0000000076EB0000-0x0000000076EF7000-memory.dmp

Filesize
284KB

Download
memory/2632-84-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-77-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-67-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/2632-66-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-64-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-76-0x0000000076A40000-0x0000000076B50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-78-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

Filesize
112KB

Download
memory/2632-79-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-80-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-82-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-102-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-98-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-100-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-94-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-96-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-92-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-90-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-88-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2632-86-0x0000000000AF0000-0x0000000000B05000-memory.dmp

Filesize
84KB

Download
memory/2928-122-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-103-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-107-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-109-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-111-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-114-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-116-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-121-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2928-123-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2928-124-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-125-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2928-153-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-131-0x0000000007080000-0x00000000079DE000-memory.dmp

Filesize
9.4MB

Download
memory/2928-150-0x0000000006F10000-0x0000000007F9B000-memory.dmp

Filesize
16.5MB

Download