Analysis Overview
SHA256
19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee
Threat Level: Known bad
The file 19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Sets file to hidden
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
Suspicious behavior: RenamesItself
NTFS ADS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-08 05:36
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-08 05:36
Reported
2022-06-08 06:59
Platform
win10v2004-20220414-en
Max time kernel
127s
Max time network
140s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2004 set thread context of 1012 | N/A | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe |
| PID 4240 set thread context of 1384 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
| PID 556 set thread context of 3320 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
| PID 3544 set thread context of 3772 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe
"C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe"
C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe
"C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.253.135.241:80 | tcp | |
| US | 20.189.173.12:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
memory/1012-130-0x0000000000000000-mapping.dmp
memory/1012-131-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/1012-138-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/4240-139-0x0000000000000000-mapping.dmp
memory/1384-140-0x0000000000000000-mapping.dmp
memory/1384-141-0x0000000000660000-0x0000000000835000-memory.dmp
memory/1384-148-0x0000000000660000-0x0000000000835000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1384-150-0x0000000061E00000-0x0000000061ED2000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1384-152-0x0000000061E00000-0x0000000061ED2000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/2988-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\Information.txt
| MD5 | 3550ec8dd679d05eb8f89dd902e033af |
| SHA1 | 33785fae6b87c2dd6b31d5cbdbb8f03f494a73ec |
| SHA256 | f99f13723960d68945b1ccf7fe1c3e4654bd8738ee63825bfac397b211d63083 |
| SHA512 | c6ca5d93674d7afc8a2e34578d4e0b41daed10aa1ac095879b925b4abd27a986405554542f35fd3b6050b33ad178edb0d9977c51b3368e52678e9f43c52f431e |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\Screen.jpg
| MD5 | f915b32a5ce3a8ac5ee2b594ef39ba39 |
| SHA1 | 60734a6f498e04c4d5a4f0d2de87890485fadb0a |
| SHA256 | 00f6350aa410e44b520f937b5c1ac34cf8e221f73ba2da3542fbb939e5186442 |
| SHA512 | 0126236336a89bf0ec9a1e1a53730e14665ea6e07cda390683c0683b2b0690e3345ce679a10eb9df80b17a9c5d90ec5ca0ed957fd134e018e52ace89e3f3cef9 |
memory/2988-158-0x0000000000400000-0x000000000047D000-memory.dmp
memory/3332-159-0x0000000000000000-mapping.dmp
memory/1384-160-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1384-161-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/3320-162-0x0000000000000000-mapping.dmp
memory/3320-170-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/3772-171-0x0000000000000000-mapping.dmp
memory/3772-179-0x0000000000400000-0x00000000005D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-08 05:36
Reported
2022-06-08 06:58
Platform
win7-20220414-en
Max time kernel
130s
Max time network
135s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 960 set thread context of 1184 | N/A | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe |
| PID 1900 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
| PID 964 set thread context of 1424 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
| PID 1984 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe
"C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe"
C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe
"C:\Users\Admin\AppData\Local\Temp\19bb7a034d6d884ee350df147940446783b5b71e4a52ea54cd98f33ec411d9ee.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022"
C:\Windows\system32\taskeng.exe
taskeng.exe {305952F0-46A7-44DA-B9E3-7388D83B1678} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/960-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp
memory/1184-55-0x0000000000670000-0x0000000000845000-memory.dmp
memory/1184-57-0x0000000000670000-0x0000000000845000-memory.dmp
memory/1184-64-0x000000000069800A-mapping.dmp
memory/1184-66-0x0000000000670000-0x0000000000845000-memory.dmp
memory/1900-67-0x0000000000000000-mapping.dmp
memory/1980-72-0x00000000005B1000-0x000000000063F000-memory.dmp
memory/1980-73-0x00000000005B0000-0x0000000000785000-memory.dmp
memory/1980-78-0x00000000005D800A-mapping.dmp
memory/1980-80-0x00000000005B0000-0x0000000000785000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1980-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1980-84-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1200-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\cryptdlg.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\Information.txt
| MD5 | 5becf908ce9ea4d2c7c647853735e008 |
| SHA1 | b5e57e8f15dd8009540a222fc1cebc2e83e21f8f |
| SHA256 | 640ee70760eae7388729735270c76bff183e43af65b82b5724b19d0487624b95 |
| SHA512 | f1797df06b96f37e3629f5117cdcb127b4688a96520f5c644b00d8dd0b05c046ef7bef1b1068264094596a6c9f0a842cda24f2b03fc9e41acab6b05bda61d375 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-naturallanguage6-0022\1\Screen.jpg
| MD5 | 0e636605595362b0107c202245dae1c1 |
| SHA1 | 197c23b52191e42659b64f5f357e1a34184b2c41 |
| SHA256 | 726dc1b7759e9bc40e549fb50321fe4ac4e514c47ceef05bbc6d04f264c5c3e5 |
| SHA512 | 1b2c073404728769a63f54e435362e0bb77d97dc3225ee750796d0ac6064c95d5e7a3777963df0353667a1504f974d667684e6ee73b47bbc38eac7fcfab10589 |
memory/1200-91-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1980-92-0x0000000002C80000-0x0000000002CFD000-memory.dmp
memory/1980-93-0x0000000002C80000-0x0000000002CFD000-memory.dmp
memory/852-94-0x0000000000000000-mapping.dmp
memory/1980-95-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1980-96-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1980-97-0x0000000002C80000-0x0000000002CFD000-memory.dmp
memory/964-98-0x0000000000000000-mapping.dmp
memory/1424-102-0x00000000006D0000-0x00000000008A5000-memory.dmp
memory/1424-109-0x00000000006F800A-mapping.dmp
memory/1424-111-0x00000000006D0000-0x00000000008A5000-memory.dmp
memory/1984-112-0x0000000000000000-mapping.dmp
memory/1708-116-0x0000000000710000-0x00000000008E5000-memory.dmp
memory/1708-123-0x000000000073800A-mapping.dmp
memory/1708-125-0x0000000000710000-0x00000000008E5000-memory.dmp