Analysis Overview
SHA256
28d9b2c50d309ba7c95fb614941744bd8caf13be874117552e443997fd44b339
Threat Level: Known bad
The file 6659f84db9582049c250a8343dbf9168.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Themida packer
Checks BIOS information in registry
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
GoLang User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-27 01:19
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-27 01:19
Reported
2023-07-27 01:22
Platform
win7-20230712-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
Files
memory/1732-54-0x0000000001040000-0x00000000016F2000-memory.dmp
memory/1732-55-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-56-0x0000000075710000-0x0000000075757000-memory.dmp
memory/1732-57-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-58-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-59-0x0000000075710000-0x0000000075757000-memory.dmp
memory/1732-60-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-61-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-62-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-64-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-67-0x0000000077C90000-0x0000000077C92000-memory.dmp
memory/1732-68-0x0000000001040000-0x00000000016F2000-memory.dmp
memory/1732-69-0x0000000001040000-0x00000000016F2000-memory.dmp
memory/1732-70-0x0000000075710000-0x0000000075757000-memory.dmp
memory/1732-72-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1732-73-0x00000000007F0000-0x000000000080C000-memory.dmp
memory/1732-74-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-75-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-77-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-79-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-81-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-83-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-85-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-87-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-89-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-91-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-93-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-95-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1732-97-0x00000000007F0000-0x0000000000805000-memory.dmp
memory/1052-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-99-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-100-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-101-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-102-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1052-103-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-105-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1052-108-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1732-109-0x0000000001040000-0x00000000016F2000-memory.dmp
memory/1732-111-0x0000000075710000-0x0000000075757000-memory.dmp
memory/1732-110-0x00000000773A0000-0x00000000774B0000-memory.dmp
memory/1052-112-0x00000000003A0000-0x00000000003A6000-memory.dmp
memory/1052-113-0x00000000739A0000-0x000000007408E000-memory.dmp
memory/1052-114-0x00000000045E0000-0x0000000004620000-memory.dmp
memory/1052-115-0x00000000739A0000-0x000000007408E000-memory.dmp
memory/1052-116-0x00000000045E0000-0x0000000004620000-memory.dmp
memory/1052-117-0x00000000739A0000-0x000000007408E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-27 01:19
Reported
2023-07-27 01:22
Platform
win10v2004-20230703-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2824 set thread context of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 9.3.209.85.in-addr.arpa | udp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
Files
memory/2824-133-0x0000000000AF0000-0x00000000011A2000-memory.dmp
memory/2824-134-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-135-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-136-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-137-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-138-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-139-0x0000000077444000-0x0000000077446000-memory.dmp
memory/2824-143-0x0000000000AF0000-0x00000000011A2000-memory.dmp
memory/2824-144-0x0000000005260000-0x00000000052FC000-memory.dmp
memory/2824-145-0x0000000000AF0000-0x00000000011A2000-memory.dmp
memory/2824-146-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-147-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-148-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-149-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-151-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2824-152-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-153-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-155-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-157-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-159-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-161-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-163-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-165-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-167-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-169-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-171-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-173-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2824-175-0x0000000002E10000-0x0000000002E25000-memory.dmp
memory/2400-176-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2400-179-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/2824-180-0x0000000000AF0000-0x00000000011A2000-memory.dmp
memory/2824-181-0x0000000076130000-0x0000000076220000-memory.dmp
memory/2400-182-0x000000000A430000-0x000000000AA48000-memory.dmp
memory/2400-183-0x0000000009F20000-0x000000000A02A000-memory.dmp
memory/2400-184-0x0000000004940000-0x0000000004952000-memory.dmp
memory/2400-185-0x0000000004980000-0x0000000004990000-memory.dmp
memory/2400-186-0x0000000009E50000-0x0000000009E8C000-memory.dmp
memory/2400-187-0x000000000A160000-0x000000000A1D6000-memory.dmp
memory/2400-188-0x000000000A280000-0x000000000A312000-memory.dmp
memory/2400-189-0x000000000B000000-0x000000000B5A4000-memory.dmp
memory/2400-190-0x000000000AA50000-0x000000000AAB6000-memory.dmp
memory/2400-191-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/2400-192-0x0000000004980000-0x0000000004990000-memory.dmp
memory/2400-193-0x000000000C490000-0x000000000C652000-memory.dmp
memory/2400-194-0x000000000CB90000-0x000000000D0BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/1108-206-0x0000000000BF0000-0x0000000001375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/2400-208-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1108-209-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp
memory/1108-210-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-211-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-212-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-213-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-214-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-215-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-216-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-217-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-218-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-219-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-221-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-222-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | c204e4a125c82174a9640979625855f5 |
| SHA1 | 952d1a895d3a626e2a58be090aa9a804e994f5ad |
| SHA256 | 3ca1f895d6b7bdcd20effca1a2fe05822319813c07b6014cc7c95803ea7f87cf |
| SHA512 | aabda459a8ed48ae5580dd3d34b8bb0086a418fb104fef602c086e3910d739422ec44eea22df5e36f07ee84e3697aeaffb706e01ea3de7cab5c8ed4191a4ec8b |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 7ba446f3be88d83446763d286930f5cc |
| SHA1 | 1aa6e0bfdc1d452db6a8c41775f216799f82295e |
| SHA256 | 7edb8c0812a6521deeb02c00bbb3ad0e586274445372f5c9a7beabbfa3f0a161 |
| SHA512 | f341451d5041fdc6c5fa2a4545f21f07d8c360aea9933387a9a5bce24d641ae3bbd7576a1d29ec66ea35b5973e2c0b8045784933277bb9454e1fa38cc24dea75 |
memory/3588-227-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/1108-225-0x0000000000BF0000-0x0000000001375000-memory.dmp
memory/1108-228-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp
memory/3588-229-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp
memory/3588-230-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-231-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-232-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-233-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-234-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-235-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-236-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-237-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-238-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-239-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-240-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-241-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-242-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-243-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-244-0x00007FFDA5D50000-0x00007FFDA5F45000-memory.dmp
memory/3588-245-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-246-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-248-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-249-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-250-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-251-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-252-0x0000000000E90000-0x0000000001615000-memory.dmp
memory/3588-253-0x0000000000E90000-0x0000000001615000-memory.dmp