Malware Analysis Report

2024-10-23 15:42

Sample ID 230727-bpwbqsgg92
Target 6659f84db9582049c250a8343dbf9168.bin
SHA256 28d9b2c50d309ba7c95fb614941744bd8caf13be874117552e443997fd44b339
Tags
themida redline 250723_rc_11 evasion infostealer spyware trojan laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28d9b2c50d309ba7c95fb614941744bd8caf13be874117552e443997fd44b339

Threat Level: Known bad

The file 6659f84db9582049c250a8343dbf9168.bin was found to be: Known bad.

Malicious Activity Summary

themida redline 250723_rc_11 evasion infostealer spyware trojan laplas clipper persistence stealer

RedLine

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

GoLang User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 01:19

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 01:19

Reported

2023-07-27 01:22

Platform

win7-20230712-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

Signatures

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1732 set thread context of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp

Files

memory/1732-54-0x0000000001040000-0x00000000016F2000-memory.dmp

memory/1732-55-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-56-0x0000000075710000-0x0000000075757000-memory.dmp

memory/1732-57-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-58-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-59-0x0000000075710000-0x0000000075757000-memory.dmp

memory/1732-60-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-61-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-62-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-64-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-67-0x0000000077C90000-0x0000000077C92000-memory.dmp

memory/1732-68-0x0000000001040000-0x00000000016F2000-memory.dmp

memory/1732-69-0x0000000001040000-0x00000000016F2000-memory.dmp

memory/1732-70-0x0000000075710000-0x0000000075757000-memory.dmp

memory/1732-72-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1732-73-0x00000000007F0000-0x000000000080C000-memory.dmp

memory/1732-74-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-75-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-77-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-79-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-81-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-83-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-85-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-87-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-89-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-91-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-93-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-95-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1732-97-0x00000000007F0000-0x0000000000805000-memory.dmp

memory/1052-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-100-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-101-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-102-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1052-103-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-105-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1052-108-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1732-109-0x0000000001040000-0x00000000016F2000-memory.dmp

memory/1732-111-0x0000000075710000-0x0000000075757000-memory.dmp

memory/1732-110-0x00000000773A0000-0x00000000774B0000-memory.dmp

memory/1052-112-0x00000000003A0000-0x00000000003A6000-memory.dmp

memory/1052-113-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/1052-114-0x00000000045E0000-0x0000000004620000-memory.dmp

memory/1052-115-0x00000000739A0000-0x000000007408E000-memory.dmp

memory/1052-116-0x00000000045E0000-0x0000000004620000-memory.dmp

memory/1052-117-0x00000000739A0000-0x000000007408E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 01:19

Reported

2023-07-27 01:22

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

Signatures

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Notepod.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2824 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2400 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 2400 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\Notepod.exe
PID 1108 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 1108 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Notepod.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe

"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 rcam25.tuktuk.ug udp
NL 85.209.3.9:11290 rcam25.tuktuk.ug tcp
US 8.8.8.8:53 9.3.209.85.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 lpls.tuktuk.ug udp
NL 45.66.230.149:80 lpls.tuktuk.ug tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp

Files

memory/2824-133-0x0000000000AF0000-0x00000000011A2000-memory.dmp

memory/2824-134-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-135-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-136-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-137-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-138-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-139-0x0000000077444000-0x0000000077446000-memory.dmp

memory/2824-143-0x0000000000AF0000-0x00000000011A2000-memory.dmp

memory/2824-144-0x0000000005260000-0x00000000052FC000-memory.dmp

memory/2824-145-0x0000000000AF0000-0x00000000011A2000-memory.dmp

memory/2824-146-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-147-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-148-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-149-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-151-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2824-152-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-153-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-155-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-157-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-159-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-161-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-163-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-165-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-167-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-169-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-171-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-173-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2824-175-0x0000000002E10000-0x0000000002E25000-memory.dmp

memory/2400-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-179-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2824-180-0x0000000000AF0000-0x00000000011A2000-memory.dmp

memory/2824-181-0x0000000076130000-0x0000000076220000-memory.dmp

memory/2400-182-0x000000000A430000-0x000000000AA48000-memory.dmp

memory/2400-183-0x0000000009F20000-0x000000000A02A000-memory.dmp

memory/2400-184-0x0000000004940000-0x0000000004952000-memory.dmp

memory/2400-185-0x0000000004980000-0x0000000004990000-memory.dmp

memory/2400-186-0x0000000009E50000-0x0000000009E8C000-memory.dmp

memory/2400-187-0x000000000A160000-0x000000000A1D6000-memory.dmp

memory/2400-188-0x000000000A280000-0x000000000A312000-memory.dmp

memory/2400-189-0x000000000B000000-0x000000000B5A4000-memory.dmp

memory/2400-190-0x000000000AA50000-0x000000000AAB6000-memory.dmp

memory/2400-191-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/2400-192-0x0000000004980000-0x0000000004990000-memory.dmp

memory/2400-193-0x000000000C490000-0x000000000C652000-memory.dmp

memory/2400-194-0x000000000CB90000-0x000000000D0BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/1108-206-0x0000000000BF0000-0x0000000001375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Notepod.exe

MD5 18658dec7775fa53f081b892d6a2b027
SHA1 fa8d901c7aac70e2c37544883ce087e48c6302d1
SHA256 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
SHA512 cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d

memory/2400-208-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1108-209-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp

memory/1108-210-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-211-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-212-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-213-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-214-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-215-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-216-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-217-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-218-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-219-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-221-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-222-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 c204e4a125c82174a9640979625855f5
SHA1 952d1a895d3a626e2a58be090aa9a804e994f5ad
SHA256 3ca1f895d6b7bdcd20effca1a2fe05822319813c07b6014cc7c95803ea7f87cf
SHA512 aabda459a8ed48ae5580dd3d34b8bb0086a418fb104fef602c086e3910d739422ec44eea22df5e36f07ee84e3697aeaffb706e01ea3de7cab5c8ed4191a4ec8b

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 7ba446f3be88d83446763d286930f5cc
SHA1 1aa6e0bfdc1d452db6a8c41775f216799f82295e
SHA256 7edb8c0812a6521deeb02c00bbb3ad0e586274445372f5c9a7beabbfa3f0a161
SHA512 f341451d5041fdc6c5fa2a4545f21f07d8c360aea9933387a9a5bce24d641ae3bbd7576a1d29ec66ea35b5973e2c0b8045784933277bb9454e1fa38cc24dea75

memory/3588-227-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/1108-225-0x0000000000BF0000-0x0000000001375000-memory.dmp

memory/1108-228-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp

memory/3588-229-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp

memory/3588-230-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-231-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-232-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-233-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-234-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-235-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-236-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-237-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-238-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-239-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-240-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-241-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-242-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-243-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-244-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp

memory/3588-245-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-246-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-248-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-249-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-250-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-251-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-252-0x0000000000E90000-0x0000000001615000-memory.dmp

memory/3588-253-0x0000000000E90000-0x0000000001615000-memory.dmp