Malware Analysis Report

2024-09-23 04:54

Sample ID 220609-fyq6ladggm
Target 15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b
SHA256 15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b

Threat Level: Known bad

The file 15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets file to hidden

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-09 05:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-09 05:17

Reported

2022-06-09 09:33

Platform

win7-20220414-en

Max time kernel

125s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1788 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1788 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1788 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 2016 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 2016 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 2016 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 2016 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 2016 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 2016 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 2016 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 2016 wrote to memory of 996 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 1732 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe

"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {8F46E304-6310-4A40-BC53-61970B8C7164} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 ipapi.co udp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.69.226:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 104.85.1.163:80 tcp

Files

memory/1788-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

memory/2016-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2016-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1172-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Information.txt

MD5 1cce84b26e3d0238c5768202671a0e98
SHA1 84f47c78fbafd9f49d6caa11bd18f2c2b0864551
SHA256 5e1131339d536ac207767c8ae7446386829d1472e4d1a951f0c8b546d03d4a72
SHA512 8369993756f3a97c73f8b2cabdef9f3b0ebdc5404f644f9bb738ba69e23ca3c2762ca332fdc307673538f5f3b2036c6412b08366df960b21a0484c9c03e93e9a

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Screen.jpg

MD5 4d791fb26e385825405e673f184ee646
SHA1 7f69f7755783161b145d7de02ae2a7e851f3700f
SHA256 f2cbff2e7e92803ad42e8d75a7b05b3de0fbcf98aae96b77428377dc72a03fe1
SHA512 66c2eb495135dd7d08f1aa7ff728b66e7321cd9018069ceb3b7764fa44e24907e18e950d704691987ea73612d2055b545ace13e23cc32c3ebdf80dddcbaf8e75

memory/1172-66-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2016-67-0x0000000004350000-0x00000000043CD000-memory.dmp

memory/2016-68-0x0000000004350000-0x00000000043CD000-memory.dmp

memory/996-69-0x0000000000000000-mapping.dmp

memory/1700-70-0x0000000000000000-mapping.dmp

memory/1420-72-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-09 05:17

Reported

2022-06-09 09:33

Platform

win10v2004-20220414-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 3368 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe
PID 3980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 3980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 3980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe
PID 3980 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 3980 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe
PID 3980 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe

"C:\Users\Admin\AppData\Local\Temp\15ff00f9d644342888ec15b5fd8fe6baab954132564c41c451af49a197aa0a2b.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\*"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 104.26.8.44:443 ipapi.co tcp
US 93.184.221.240:80 tcp
US 104.26.9.44:443 ipapi.co tcp
US 93.184.221.240:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3980-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/3980-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/3980-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/3980-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4404-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\NlsLexicons0049.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Information.txt

MD5 d07653a7ec1c8be6ab831ac4707cc988
SHA1 a94c488b9320140b0d3b07658223a7a52cc5ecbc
SHA256 5420d7b13dc8359e3d71bd293fc0305d784142a527b72a1487ba0ceec8e57930
SHA512 4df2bd8dcb90f4dcf470b986460cba1ee642d1d84b2f00449582f09413168e422e7e4291ca59f9a02c01b92f05a263978b48787b9c3fe1289cf0987bd384e03e

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..meworkapi.resources\1\Screen.jpg

MD5 00f99c236dc49cb228b3b52282cd97de
SHA1 d4630cb1098bc872e895c9c7924368985b4a60e9
SHA256 0ca0fabd290468176a242f2d1d5572fe28e5d4e379ff1636cfe2bad4876e3d64
SHA512 9a7d14e5c07c0099c03560e9404e0c6f416b7bb7629b157f1368da72ff97d7481dfe692733632e1b1c3d1cfb85cee744aa5ba8e4b952ee5d60aa3825e6ddb376

memory/4404-141-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1392-142-0x0000000000000000-mapping.dmp