Malware Analysis Report

2024-10-19 01:10

Sample ID 230729-veqs2sfa9t
Target f2028b4fb0b43abc5a062bd35_JC.exe
SHA256 f2028b4fb0b43abc5a062bd359622b254dbf0e301f2a8b842d062896ca24692b
Tags
laplas clipper discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2028b4fb0b43abc5a062bd359622b254dbf0e301f2a8b842d062896ca24692b

Threat Level: Known bad

The file f2028b4fb0b43abc5a062bd35_JC.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper discovery evasion persistence spyware stealer trojan

Laplas Clipper

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-29 16:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-29 16:54

Reported

2023-07-29 16:57

Platform

win7-20230712-en

Max time kernel

135s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe

"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe"

C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe

"C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 185.209.161.53:80 185.209.161.53 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 45.159.189.33:80 45.159.189.33 tcp

Files

memory/2092-54-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2092-55-0x0000000000400000-0x0000000002B4C000-memory.dmp

memory/2092-56-0x0000000000220000-0x000000000023B000-memory.dmp

memory/2092-57-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2092-135-0x0000000000400000-0x0000000002B4C000-memory.dmp

memory/2092-136-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe

MD5 299a2d8412301a6c84f2da3c446943c2
SHA1 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA256 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a

C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe

MD5 299a2d8412301a6c84f2da3c446943c2
SHA1 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA256 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a

memory/588-140-0x0000000001D90000-0x0000000002551000-memory.dmp

memory/568-141-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-142-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/568-143-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-144-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-145-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-147-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-146-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-148-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-149-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-151-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-150-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-152-0x0000000000090000-0x0000000000851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe

MD5 299a2d8412301a6c84f2da3c446943c2
SHA1 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA256 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a

memory/588-154-0x0000000001D90000-0x0000000002551000-memory.dmp

memory/568-155-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-156-0x0000000000090000-0x0000000000851000-memory.dmp

memory/568-157-0x00000000777B0000-0x0000000077959000-memory.dmp

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e262eb8dac4f049ec2cf698bccf225e0
SHA1 378927058f97cf3ca9227c298e148d1223144f54
SHA256 f0c2ddbf6e3ca9da1b9d1ebe994d6dff7475d58d66869ae75337182eb34dbab7
SHA512 f508d2d75f62ff8ea687ffec934b857fc220ffbd3880d9740a4fcdd9214169a92fb7907f646d11f200fd8f67099e369662d4e13768bb60ef5202aa6139371de0

memory/568-163-0x0000000000090000-0x0000000000851000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 585197ffe875b710b1abb7be0a0a0b23
SHA1 f9d4a73afcdab42c0afeb692f5887277b5cef8b6
SHA256 5bb1f9f385e2fee2a3e061603b833aa84dec1e9590de17f2851c0f9eb3b2813a
SHA512 be9cc444f6e39cf4dc860b3b1a75e36cb34b48f50a069d45c758e856036b5eb75be35220391a0bcc0ffe5b646dfd9041d477ddb33c1c95410bda67aa3b3b4bde

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 e615f5d7b40e2a3fad7b5531016ea437
SHA1 fb5e387899691d6dca17818e3bc107a4b6e0aee0
SHA256 bdf37e704f5554b96301ce3aebb36229d459bca1932ebc621634b0e1d237d309
SHA512 b5454abcd7b15ca345cc3a1ac2a3fb4363b964f1f3b80f60e78f9ea869066f68510de8bea7f6d188414c8e6c503b3e8043c4953c8a494a2d50348a031ca4048f

memory/568-161-0x0000000028640000-0x0000000028E01000-memory.dmp

memory/568-165-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/620-164-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-166-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/620-167-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-168-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-169-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-170-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-171-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-172-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-173-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-174-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-175-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-176-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-177-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-178-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-179-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/620-180-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-181-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-182-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-183-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-186-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-187-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-188-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-189-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-190-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-191-0x0000000000CC0000-0x0000000001481000-memory.dmp

memory/620-192-0x0000000000CC0000-0x0000000001481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-29 16:54

Reported

2023-07-29 16:57

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe

"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"

C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe

"C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 185.209.161.53:80 185.209.161.53 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 45.159.189.33:80 45.159.189.33 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 33.189.159.45.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1880-134-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

memory/1880-135-0x0000000000400000-0x0000000002B4C000-memory.dmp

memory/1880-136-0x0000000004890000-0x00000000048AB000-memory.dmp

memory/1880-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1880-217-0x0000000000400000-0x0000000002B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe

MD5 299a2d8412301a6c84f2da3c446943c2
SHA1 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA256 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a

C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe

MD5 299a2d8412301a6c84f2da3c446943c2
SHA1 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA256 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a

memory/388-221-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/1880-222-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

memory/388-223-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp

memory/388-224-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-225-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-226-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-227-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-228-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-229-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-230-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-231-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-232-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-233-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-234-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-235-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-237-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp

memory/388-238-0x0000000000580000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 1862c7f8b120b2f0a9133ff4b0ad7f64
SHA1 2a2122d841257e9b671abcaf2cfda3dc358c2021
SHA256 73927744d7a575ee4ebe651661976e182f50d5028e18e47ef498ed423c2d4702
SHA512 cbc299c6b0d68c8d9671f0942febe131ad34e27a936d561224fd4ad08c11b9ae1622cbf84bc28769b16645c0568996672cf413e33589363b469e603333472d01

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 2d2887985dd73f786a95d2b7043cc770
SHA1 a222655555866b1c73377d7cc9665fd487c4e342
SHA256 df56c0a98ad39f3c83956465e56d87225ebc76fc15a1e3157d20f9f87626ace3
SHA512 e430f7433ceef83b89da25b8baeaa58f439ab1e9d50c95b5d544f80228e484f97975fe3beeba2079b1806e3b3e881fbee53a41f9c0e350e019a39983dac5c89b

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 efb14643318e7f89c29c0e7330075b8b
SHA1 79e62d0707f005632d9b93df68adf9f8c6a849bd
SHA256 b9513c15d6d94f864c85067d46a943f8418a68a42d8a82d4e7df9902c19a6b68
SHA512 4a6836db5bd3046b8eef2c4cf7e3820e3a27f123a8f7651c636f95606e640610b16aa5b52f107823a907b4a9b9f786df4b4d218478f32064fc5656f556ab1090

memory/2228-243-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/388-242-0x0000000000580000-0x0000000000D41000-memory.dmp

memory/388-244-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp

memory/2228-245-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-246-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp

memory/2228-247-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-248-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-249-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-250-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-251-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-253-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-254-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-255-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-256-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-257-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-258-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-260-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-261-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-262-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-263-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-264-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-265-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-266-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-267-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp

memory/2228-268-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-269-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-270-0x0000000000670000-0x0000000000E31000-memory.dmp

memory/2228-271-0x0000000000670000-0x0000000000E31000-memory.dmp