Malware Analysis Report

2024-10-23 15:42

Sample ID 230726-qdexyabe97
Target NA_1ed33d760f151b33b3d20bf9e_JC.exe
SHA256 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Tags
themida redline 250723_rc_11 evasion infostealer spyware trojan laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05

Threat Level: Known bad

The file NA_1ed33d760f151b33b3d20bf9e_JC.exe was found to be: Known bad.

Malicious Activity Summary

themida redline 250723_rc_11 evasion infostealer spyware trojan laplas clipper persistence stealer

Laplas Clipper

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-26 13:08

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-26 13:08

Reported

2023-07-26 13:11

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"

Signatures

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2076 set thread context of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2076 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp

Files

memory/2076-54-0x0000000001210000-0x00000000018C2000-memory.dmp

memory/2076-58-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-59-0x0000000074FD0000-0x0000000075017000-memory.dmp

memory/2076-60-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-61-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-62-0x0000000074FD0000-0x0000000075017000-memory.dmp

memory/2076-63-0x00000000772F0000-0x00000000772F2000-memory.dmp

memory/2076-64-0x0000000001210000-0x00000000018C2000-memory.dmp

memory/2076-65-0x0000000001210000-0x00000000018C2000-memory.dmp

memory/2076-67-0x0000000074FD0000-0x0000000075017000-memory.dmp

memory/2076-68-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-69-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-70-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-71-0x0000000075800000-0x0000000075910000-memory.dmp

memory/2076-72-0x0000000000570000-0x000000000058C000-memory.dmp

memory/2076-73-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-74-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-76-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-78-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-80-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-84-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-82-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-88-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-86-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-90-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-92-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-96-0x0000000000570000-0x0000000000585000-memory.dmp

memory/2076-94-0x0000000000570000-0x0000000000585000-memory.dmp

memory/240-97-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-101-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-103-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/240-106-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2076-111-0x0000000075800000-0x0000000075910000-memory.dmp

memory/240-113-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2076-112-0x0000000074FD0000-0x0000000075017000-memory.dmp

memory/240-109-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2076-114-0x0000000001210000-0x00000000018C2000-memory.dmp

memory/240-116-0x0000000074290000-0x000000007497E000-memory.dmp

memory/240-115-0x0000000000290000-0x0000000000296000-memory.dmp

memory/240-117-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/240-118-0x0000000074290000-0x000000007497E000-memory.dmp

memory/240-119-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/240-120-0x0000000074290000-0x000000007497E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-26 13:08

Reported

2023-07-26 13:11

Platform

win10v2004-20230703-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3332 set thread context of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3332 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4320 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 4320 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2960 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2960 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NA_1ed33d760f151b33b3d20bf9e_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3332-134-0x0000000000DD0000-0x0000000001482000-memory.dmp

memory/3332-135-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-136-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-137-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-138-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-139-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-140-0x0000000077174000-0x0000000077176000-memory.dmp

memory/3332-144-0x0000000000DD0000-0x0000000001482000-memory.dmp

memory/3332-145-0x00000000053F0000-0x000000000548C000-memory.dmp

memory/3332-146-0x0000000000DD0000-0x0000000001482000-memory.dmp

memory/3332-147-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-148-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-149-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-150-0x0000000075480000-0x0000000075570000-memory.dmp

memory/3332-152-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-153-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-155-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-157-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-159-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-161-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-163-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-165-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-167-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-169-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-171-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-173-0x0000000003040000-0x0000000003055000-memory.dmp

memory/3332-175-0x0000000003040000-0x0000000003055000-memory.dmp

memory/4320-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4320-179-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3332-180-0x0000000000DD0000-0x0000000001482000-memory.dmp

memory/3332-181-0x0000000075480000-0x0000000075570000-memory.dmp

memory/4320-182-0x0000000005DF0000-0x0000000006408000-memory.dmp

memory/4320-183-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/4320-184-0x0000000005820000-0x0000000005832000-memory.dmp

memory/4320-185-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/4320-186-0x0000000005880000-0x00000000058BC000-memory.dmp

memory/4320-187-0x0000000005BB0000-0x0000000005C26000-memory.dmp

memory/4320-188-0x0000000005CD0000-0x0000000005D62000-memory.dmp

memory/4320-189-0x0000000006EB0000-0x0000000007454000-memory.dmp

memory/4320-190-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/4320-191-0x0000000006CD0000-0x0000000006E92000-memory.dmp

memory/4320-192-0x0000000009080000-0x00000000095AC000-memory.dmp

memory/4320-193-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4320-194-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/2960-206-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/4320-208-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2960-209-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-210-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-211-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-212-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-213-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-214-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-215-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-216-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-217-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-218-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-219-0x00007FF90B750000-0x00007FF90B945000-memory.dmp

memory/2960-221-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-222-0x0000000000310000-0x0000000000A95000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 9f0befb01d77d751bfb27fd520cbffea
SHA1 c49489a5780f9315aefe698f801b78f114e9bd69
SHA256 cebc9aef1a03d8b4d6ae39651f5e2d4eabfccaf5d514a0f633bb00ca24e3b3e9
SHA512 856132bb5d65583dc92ba15081a7187b50eabda21c598fa6a97ab0f2a83137300777e6da7fc33c4dec15c5420250854b2a6f076fcda706895146ce8ba377550f

memory/2960-225-0x0000000000310000-0x0000000000A95000-memory.dmp

memory/2960-227-0x00007FF90B750000-0x00007FF90B945000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 62b4664f8063c068e052fa5766605dd4
SHA1 882236f7263d971659481cf7987d443007389721
SHA256 c359022559dde1cce30733ab1940e7fdbfa240e3bc179f4a137668c317066109
SHA512 c482cce7fe4cbac458cbf3590544cf83379a3b0818206747958b46db8cbe6ed9cf7a7ecb69b370bd1f77ce6141ee21deae43efa2d574216cf6569d2f5b3f870c

memory/2452-228-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-229-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-230-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-231-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-233-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-234-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-235-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-236-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-237-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-238-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-239-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-240-0x00007FF90B750000-0x00007FF90B945000-memory.dmp

memory/2452-241-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-242-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-243-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-244-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-245-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-246-0x00007FF90B750000-0x00007FF90B945000-memory.dmp

memory/2452-247-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-249-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-250-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-251-0x0000000000660000-0x0000000000DE5000-memory.dmp

memory/2452-252-0x0000000000660000-0x0000000000DE5000-memory.dmp