Analysis Overview
SHA256
a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226
Threat Level: Known bad
The file a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Sets file to hidden
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-24 17:00
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-24 17:00
Reported
2022-05-24 17:38
Platform
win7-20220414-en
Max time kernel
147s
Max time network
130s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226.exe
"C:\Users\Admin\AppData\Local\Temp\a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226.exe"
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
"C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe"
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
"C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {ACCD74BD-413C-486E-B95A-A8902BFE1189} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 185.174.167.15:65233 | tcp | |
| RU | 185.174.167.15:65233 | tcp |
Files
memory/532-54-0x0000000075701000-0x0000000075703000-memory.dmp
\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
memory/1824-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
| MD5 | f3d405e44101af5fd62507139e144b72 |
| SHA1 | e514d6800dd80c840fa356916c66120bcccb21c4 |
| SHA256 | 124a8bf412ae09d31cb8d8af4a812790606989dbf86c4e099629d496eb7159b3 |
| SHA512 | 53d665f6b16d0a5229b5d085cedbe07c7f2d37778ac1568948fcf5bcd81dd75b3d4d9985937e1866145c1c113e03da09cdf048f44a0c53df2a5730dcdbf9d02f |
memory/932-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
| MD5 | f3d405e44101af5fd62507139e144b72 |
| SHA1 | e514d6800dd80c840fa356916c66120bcccb21c4 |
| SHA256 | 124a8bf412ae09d31cb8d8af4a812790606989dbf86c4e099629d496eb7159b3 |
| SHA512 | 53d665f6b16d0a5229b5d085cedbe07c7f2d37778ac1568948fcf5bcd81dd75b3d4d9985937e1866145c1c113e03da09cdf048f44a0c53df2a5730dcdbf9d02f |
memory/932-66-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp
memory/2024-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/564-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\Information.txt
| MD5 | f3b58ffd0a5e5394556a042e53798620 |
| SHA1 | 2d6f3f8825084304107ce17c62afe52edb1e3e51 |
| SHA256 | eebe9de5f343c386cdd2ffe42f932dbf938fa70c9848cc529b49bd349c8794b8 |
| SHA512 | 308323cf7965006ddd3f5766ec262cf72297fd410ae4ea0dcddec428e5798d446e5a258ab8cb42c59c72ebaf6f6b4057755da594bd20eea4c10980f10c12f33a |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\Screen.jpg
| MD5 | fd8cc64bc3d428db190668b0267e2e84 |
| SHA1 | 324da727f1b730e0f4cdaa48d188f666dad73cc3 |
| SHA256 | 69ce52679d8ad3519c122c0fa0e80e2afe45e3f8a13d7c43e6e1a5c40414c363 |
| SHA512 | b21778cae5e2e8a6cbd25272a51e36ec082ae3fcc0098b11b1583fdaae20694383b4944b3b0a4c3ced2d34faa78a0f9b5e0612b0ff1104f81d2c6140d6075955 |
memory/1336-78-0x0000000000000000-mapping.dmp
memory/1528-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
memory/1212-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-24 17:00
Reported
2022-05-24 17:38
Platform
win10v2004-20220414-en
Max time kernel
127s
Max time network
153s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226.exe
"C:\Users\Admin\AppData\Local\Temp\a53ba4da573768d2a40c3b0a4bf66702ff02fcd5deab14ff4cee425e53526226.exe"
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
"C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe"
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
"C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 20.189.173.10:443 | tcp | |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 185.174.167.15:65233 | tcp | |
| DE | 67.24.27.254:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp |
Files
memory/4372-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Build.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
memory/5096-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
| MD5 | f3d405e44101af5fd62507139e144b72 |
| SHA1 | e514d6800dd80c840fa356916c66120bcccb21c4 |
| SHA256 | 124a8bf412ae09d31cb8d8af4a812790606989dbf86c4e099629d496eb7159b3 |
| SHA512 | 53d665f6b16d0a5229b5d085cedbe07c7f2d37778ac1568948fcf5bcd81dd75b3d4d9985937e1866145c1c113e03da09cdf048f44a0c53df2a5730dcdbf9d02f |
C:\Users\Admin\AppData\Roaming\qwvSdtFR7k59a\Everything.exe
| MD5 | f3d405e44101af5fd62507139e144b72 |
| SHA1 | e514d6800dd80c840fa356916c66120bcccb21c4 |
| SHA256 | 124a8bf412ae09d31cb8d8af4a812790606989dbf86c4e099629d496eb7159b3 |
| SHA512 | 53d665f6b16d0a5229b5d085cedbe07c7f2d37778ac1568948fcf5bcd81dd75b3d4d9985937e1866145c1c113e03da09cdf048f44a0c53df2a5730dcdbf9d02f |
memory/2220-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4100-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\Information.txt
| MD5 | 25d12d6b892563881d10a28d9abecf60 |
| SHA1 | 316cef9a4991b1bd3408eca29000387c7f5bade7 |
| SHA256 | 232afe31ce61c8da3a015d09436f3516a399d4c6d5209952ab6db6e2641df739 |
| SHA512 | 06a5677cf3e212a1b66f9030c55db8422d42638736c560f15838f71a4222ddc1b22b6045cd9a6a3b04860fccf5d1ceb23262ecf1efce20c70ef08817e6fedf09 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\1\Screen.jpg
| MD5 | d866768540b6c62e0dd0bbd46a04df62 |
| SHA1 | 9b2225ac3e8a51afc030a8551c40296e888a4084 |
| SHA256 | 8821c4094e4c88c284d3a923cf51ad6a7c41e0c16b9d4fe7d9821e054940f659 |
| SHA512 | 2676235a212b8e8a80c618c19562fab6d666415919d69c9033bc83d28777a89edf0d0629bcee87a074ee5951193ec625e4637d201d75fc65d84d446008fa5478 |
memory/2972-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-mccs-syncres.resources\xolehlp.exe
| MD5 | 98833b2e90a64311114076554e9e3b9a |
| SHA1 | 42e00aa75591aec8aae2a52fb48e8ea9897cb327 |
| SHA256 | a0b925d18f3d6c5c79399cb5dc9f8a9666fb6aef21fb88a796ae5a76a9b29c2b |
| SHA512 | a095aa7429ad7fa757c4ce4d3b8eff1596afdb2d26a50bdf058168119fe1d476d8e9518f0d4bef6d8e424aea1d61f1f944c781dc062433a7f4171e3bf749cff0 |