Analysis Overview
SHA256
bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375
Threat Level: Known bad
The file bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets service image path in registry
Sets file to hidden
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
autoit_exe
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Views/modifies file attributes
Suspicious behavior: RenamesItself
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-01 04:12
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-01 04:12
Reported
2022-02-01 04:14
Platform
win7-en-20211208
Max time kernel
124s
Max time network
137s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe
"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\41646D696E565156564F414A4B57494E5F375836.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll"
C:\Windows\system32\taskeng.exe
taskeng.exe {61FEE486-0C0A-4344-90E8-36F540E580F6} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 185.142.97.228:65233 | tcp | |
| RU | 185.142.97.228:65233 | tcp |
Files
memory/1696-54-0x0000000076001000-0x0000000076003000-memory.dmp
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt
| MD5 | 232462866c5390687e8a1782600d9aeb |
| SHA1 | d70ea492e8902bc743977e7e0a7adac5c3538b56 |
| SHA256 | 6bb158dc9b63f4df774008e58ef42c1c2f3a27a18bb1c0bc7cdbcc93a7e15114 |
| SHA512 | 3cfcf4296ddd2867b1b9e0032bd9b31fdb5861e9e6a84b6fbd1ffd2f7bd4ebf54bf7d41235d7fb9c53f1fb8fff39ca551e1e80f84c4547d858623b9058c583cd |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Screen.jpg
| MD5 | bf873cec1cb93c6a31153a44f2bd7386 |
| SHA1 | dccaa097d5cde6749f7f2ca662e2507e23eb87ff |
| SHA256 | 0e171cd72e69623177561d067a75ee3494e541a89e86ee58b578aa8d3ed549a3 |
| SHA512 | a4eca46253c31bb920e198bc927280c4823d0222c045719dbf9bc3d0dda19d923cb1f06f0f118020cdf79a3262b07c234ee5989587251b9286a260c7e2015ad6 |
memory/1212-62-0x0000000002B90000-0x0000000002C30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-01 04:12
Reported
2022-02-01 04:15
Platform
win10v2004-en-20220112
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
Sets file to hidden
Sets service image path in registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe
"C:\Users\Admin\AppData\Local\Temp\bc87f6ec38d359fdd4ddf35c345e4e82dc1235c3fc3e9fbb38df5ff778448375.exe"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a6d6014b81ffc3fc3f59677414348c5f nHwbbKrc90q5AA2t+qJTRQ.0.1.0.0.0
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\41646D696E524942435155485157494E5F313058.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 72.21.91.29:80 | crl3.digicert.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| RU | 185.142.97.228:65233 | tcp |
Files
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\advpack.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Information.txt
| MD5 | 9d09216a0d0705b33bfebafdd3e01012 |
| SHA1 | cde21318bb356624c56717caf6a0766129799fcd |
| SHA256 | d07f6b0724a93df425bc746e9ca6e38192d9cef79535265510a6bd6036934db7 |
| SHA512 | fa3999ffcf2fc2461634c1a4f89f90b462d9717cb66793c4dfbb44acf4a9db216d21ceacd6b132029097fa2cc34dcb0ae8b12e6e14eac6bf8f8b4c10f957359e |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-m..rds-datacontrol-rll\1\Screen.jpg
| MD5 | 36bcccb7b53848e325dbb30efaca4c28 |
| SHA1 | ec28430f7a30913be1910d91b045f0f6bea76c93 |
| SHA256 | 44bd70109cecbf0dc17f4ea7887b4dd76102b24484c9bb3ffb50e56782f5da41 |
| SHA512 | 1628e34373205a13c74448f9e7c6504ac1007313d6168b687c436d792fcd7ef785ae8983eea4a24886b35bf7e0275d85690950b6c0c7c9519b239a68ba7b0e2f |
memory/3864-136-0x00000000076B0000-0x00000000076B1000-memory.dmp
memory/3864-135-0x0000000007690000-0x0000000007691000-memory.dmp
memory/3864-137-0x00000000076A0000-0x00000000076A1000-memory.dmp
memory/3864-138-0x00000000076C0000-0x00000000076C1000-memory.dmp