Analysis Overview
SHA256
1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0
Threat Level: Known bad
The file 1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Sets file to hidden
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-07 19:52
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-07 19:52
Reported
2022-06-07 22:14
Platform
win7-20220414-en
Max time kernel
126s
Max time network
158s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 384 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe |
| PID 2040 set thread context of 2000 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1084 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1684 set thread context of 1104 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe
"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe
"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE9762211651E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {64F99402-F7FE-4D3A-8CCA-B0290221E1AF} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/384-54-0x00000000763E1000-0x00000000763E3000-memory.dmp
memory/1708-55-0x0000000000690000-0x0000000000865000-memory.dmp
memory/1708-57-0x0000000000690000-0x0000000000865000-memory.dmp
memory/1708-64-0x00000000006B800A-mapping.dmp
memory/1708-66-0x0000000000690000-0x0000000000865000-memory.dmp
memory/2040-67-0x0000000000000000-mapping.dmp
memory/2000-71-0x00000000006F0000-0x00000000008C5000-memory.dmp
memory/2000-78-0x000000000071800A-mapping.dmp
memory/2000-80-0x00000000006F0000-0x00000000008C5000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/2000-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2000-84-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1796-87-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | 68b74d2774cc2451a271f56cff0cdbb4 |
| SHA1 | f5996cf740c6a01d231ef53a43157fe56fd1d1f6 |
| SHA256 | a48ca87ae77131c5c5b0b6963b20ab3e9fa7b2a0404a0f62d093f76e686ba6ee |
| SHA512 | 8e495fe96a6ef16aa5586bf2cf72f7876361286de3d9829103141d97a4afcdbcdf49031728e984cad41f681142096643d56dd1f9846ed31097691ea5348f57b7 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 006738e9124e7adde18ae49262ce20f5 |
| SHA1 | ec69c02015dec12a0362712855da33baf96e5efc |
| SHA256 | 24898bb9b36b1399703e2a4a7281f010e6237d59fbcf5c8a88feb7dd2ae1c6af |
| SHA512 | 601c1bb9aa857487f5d87d0e1a0528925b2b2a7c9a8114f099841729cc62ffd7bd146b9f6af2a1f8b53c26c0ea433312372550670f5d87b9ce5ff772d22b8f3a |
memory/1796-91-0x0000000000400000-0x000000000047D000-memory.dmp
memory/692-92-0x0000000000000000-mapping.dmp
memory/2000-93-0x0000000003F30000-0x0000000003FAD000-memory.dmp
memory/2000-94-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2000-95-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1084-96-0x0000000000000000-mapping.dmp
memory/1588-100-0x0000000000760000-0x0000000000935000-memory.dmp
memory/1588-107-0x000000000078800A-mapping.dmp
memory/1588-109-0x0000000000760000-0x0000000000935000-memory.dmp
memory/1684-110-0x0000000000000000-mapping.dmp
memory/1104-121-0x00000000006B800A-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-07 19:52
Reported
2022-06-07 22:15
Platform
win10v2004-20220414-en
Max time kernel
188s
Max time network
198s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe
"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"
C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe
"C:\Users\Admin\AppData\Local\Temp\1b14728bb3a182bcf26d6958a9283e3aa8c52d818e34aa8fd18a837d822252c0.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2532
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.109.12.18:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| IE | 20.54.110.249:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.122:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.122:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.122:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.25:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.25:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 93.184.221.240:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/1128-130-0x0000000000000000-mapping.dmp
memory/1128-131-0x0000000000C90000-0x0000000000E65000-memory.dmp
memory/1128-138-0x0000000000C90000-0x0000000000E65000-memory.dmp
memory/4756-139-0x0000000000000000-mapping.dmp
memory/4688-140-0x0000000000000000-mapping.dmp
memory/4688-141-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/4688-148-0x0000000000400000-0x00000000005D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4688-151-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4688-152-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4688-153-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4688-154-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/792-155-0x0000000000000000-mapping.dmp
memory/792-163-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/316-164-0x0000000000000000-mapping.dmp
memory/316-172-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/1984-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | fb297eac5433371bb4e80ac0042db812 |
| SHA1 | 579e6b38ff37e3621a5ccb6861598fb90e3d3c58 |
| SHA256 | 981ea4586730243d098f03355b7a3c19ea02e69c175f61e616a44872bd474e26 |
| SHA512 | c4d9910d32c46e5c884bb67891091508426106f005fd47067d7244ee4a3e2e8c3d1d435d8e6e9c47f6ad8f0c975778c6127f3851746a28a98039a12adb48fe58 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 4fa0c96e37cb6bee30107cc76295fae4 |
| SHA1 | 023fdf3b30b7ea5708691ceb0600b8fd06d37b34 |
| SHA256 | 58ea6f76277604df452bffcbf0fde0ad442bc2a386d7b3948dd8f561c5144540 |
| SHA512 | 24018dd02f5f6639a221ff7033287663767323b7a084447fc91c17b158a89b6978776ef752f575f6f71e398aa1b95ce7772950a7aea5dba80f6520022573fb7c |
memory/1984-178-0x0000000000400000-0x000000000047D000-memory.dmp
memory/3304-179-0x0000000000000000-mapping.dmp
memory/4132-180-0x0000000000000000-mapping.dmp
memory/4132-181-0x0000000000D20000-0x0000000000EF5000-memory.dmp
memory/4132-188-0x0000000000D20000-0x0000000000EF5000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | ac768ff2ba86be0a146ca2cf728b7b84 |
| SHA1 | 5d3e59375e7ea3065a4f78503176fab5bda39426 |
| SHA256 | e019255dc4588dce850c3e9efa548ed09a6a1ac4b61f8f54556f39aea58eacb1 |
| SHA512 | f1adadc74ae37fd1180739765610f3851bd99d5f8e30bdbb35fddf79af8e5e12b7a473282dcac4ab280306340d7a07a0f4afc2213d228ac891f0ecb291de710f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | de3584a5e2f79c581a87a5322aa2e38b |
| SHA1 | c4101744e8eed414fa78ac5703fd6c582417ddc9 |
| SHA256 | ea0a373d00ad4bede01485477be053b55f36877ff3bb07a0472722c51f4c246a |
| SHA512 | ab4034d1cb759934853c1cb27315b734513db6698b7583bd6fb98207e913c9c995fafbbfa02b68e30238fab34993fb6e9942b05004ffd9dbdd6bef0f66b163c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
| MD5 | 9dc8cffd5a3520fb6f173ada36ebc98e |
| SHA1 | 04a5fc563bcebff77d36eb519c956558134e09ba |
| SHA256 | c88ebf5821ef91fe371283edd0a3786b6a453ffafc44ebe6021bb917e53fa4a5 |
| SHA512 | 8398d501d1d02a3b27e75ee008d2e5bdf450922a8186fa144f55b4aef2b5508322dfab4acc487917121ba78de6b286eecb5c1d79406855d3a07c2d9075db88a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
| MD5 | 58b9c2e080ac5c5ada010059279df4a4 |
| SHA1 | 024f8dcb4540a20bfd8263d1c2431bf95b3a3fca |
| SHA256 | 7229d806f0523162a3c07fbf75fe7960722a3b9f9e12460b3e289f1a7a2e33d3 |
| SHA512 | c5651cdd3450898bd19f3c475e01e8f5f923683082d4ce536d9d5482fe566925dece7c1a551aedf3ff3a515a59496708f91e5e2d4e2130e203dc924a785834a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 0085fc6ff6ec7649b40d39fbb27621ae |
| SHA1 | 3bc13b2c0831d921be07f807667f9e782a81f3dd |
| SHA256 | 64ac1618737da4e4c53c3fd94b8fe08515981b1bdd74fce47aa4628e11ceb135 |
| SHA512 | 9ebd2dcbd275575bbcbfaa94b3e6c48f0c2e12e6a9a56dad5b33521a11e28e0ec9704ba9fe7a4a4d492f8cea2929f25dbd3ba91e8a519b2de8fc1db45d967862 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 4113282a41366ff29510b7d84a7a83a7 |
| SHA1 | 58696dea67308970f9363a7d9edb5ce8077766a4 |
| SHA256 | 01e2613eb89c2d8d79d7177626c9f684ba9bbd515b8d238f6a13fd25634bd50a |
| SHA512 | 7ead24710f21cf8048985331de69993060406885a407543a6713f204dc85fe773f0aa3c9afd8b7d46bff677aac0ca55244ee2d2e4c64d157ab3a48aa7ede28d1 |