Analysis Overview
SHA256
ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867
Threat Level: Known bad
The file ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Sets file to hidden
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
NTFS ADS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 05:31
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 05:31
Reported
2022-06-25 06:32
Platform
win10v2004-20220414-en
Max time kernel
183s
Max time network
210s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2884 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe |
| PID 4396 set thread context of 4360 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1284 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 4620 set thread context of 3308 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe
"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe
"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| NL | 8.248.1.254:80 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 20.190.160.2:443 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 20.190.160.136:443 | tcp |
Files
memory/1996-130-0x0000000000000000-mapping.dmp
memory/1996-131-0x0000000001000000-0x00000000011D5000-memory.dmp
memory/1996-138-0x0000000001000000-0x00000000011D5000-memory.dmp
memory/4396-139-0x0000000000000000-mapping.dmp
memory/4360-140-0x0000000000000000-mapping.dmp
memory/4360-148-0x0000000001000000-0x00000000011D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4360-151-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4360-152-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4360-153-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4360-154-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/2572-155-0x0000000000000000-mapping.dmp
memory/2572-156-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/2572-163-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/1560-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1560-167-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | ca2b2a0a660f0b7de5084b5380af796b |
| SHA1 | 4375c0dd5e337b517f5ac6517632c8d6e7e66d66 |
| SHA256 | e319878d269f3e4fa4a42ac5693cf6adc0456225bb69995ae91b0d59ac79e0d7 |
| SHA512 | d19e19e647852013c28c237088db6eb8d45f6ecc194cd590011e978eec30236d2d18cb2dd854755241d25bef6e461f602c60a70ec7e701330f16b129d258a827 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 9b6c3d86a0cc0e1874f5797c372a2b7b |
| SHA1 | 4c66e093a88a79517ffc1ed75b8dcdc31dae5d6a |
| SHA256 | 52e87641000a812027687dd27094e5799e4912354440395672be675a91604f47 |
| SHA512 | 147805431936aa41dffafbd067a04b6914e6e0d1eeb76acf77eb4b47c577a29ffd83e917abfbd778681a4a0e9011ff22f52537519070f07a4c203948aa270f71 |
memory/1560-170-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2700-171-0x0000000000000000-mapping.dmp
memory/3308-172-0x0000000000000000-mapping.dmp
memory/3308-180-0x0000000000400000-0x00000000005D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 05:31
Reported
2022-06-25 06:31
Platform
win7-20220414-en
Max time kernel
124s
Max time network
131s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2044 set thread context of 1908 | N/A | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe |
| PID 1524 set thread context of 1544 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1500 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
| PID 1620 set thread context of 1520 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe
"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"
C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe
"C:\Users\Admin\AppData\Local\Temp\ac2c6005d35b07d417c9e3aa31b713f87a042f8963f99756a97911deb2e70867.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE975325E824E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {A74E6793-C8B3-4304-B3C9-369B768BAD92} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 172.67.69.226:443 | ipapi.co | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp
memory/1908-55-0x0000000000940000-0x0000000000B15000-memory.dmp
memory/1908-57-0x0000000000940000-0x0000000000B15000-memory.dmp
memory/1908-64-0x000000000096800A-mapping.dmp
memory/1908-66-0x0000000000940000-0x0000000000B15000-memory.dmp
memory/1524-67-0x0000000000000000-mapping.dmp
memory/1544-71-0x0000000000A60000-0x0000000000C35000-memory.dmp
memory/1544-78-0x0000000000A8800A-mapping.dmp
memory/1544-80-0x0000000000A60000-0x0000000000C35000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1544-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1544-84-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/320-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt
| MD5 | f9ee4fd20a98e030fbfa95ef1d8925cb |
| SHA1 | cdc8105f5d85bb6c47feee3377d271e5c8214fb8 |
| SHA256 | c99a33c4b71f99633ec76cd5e78db83451fa079e4ee3315c8cd93abfbc69246f |
| SHA512 | b47c0dfdd37df806c0979885796b2eb27942c098fa4f953a2c26af717e20e2e7bd9264ded5b2f116c83e23116df7a8a6936916bcc10a98a8f050e900fa6d848d |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg
| MD5 | 0cc2316953ce2fa330fee5b902691281 |
| SHA1 | 422ae6e575a17b5d8f842fb4b2d30500d3987624 |
| SHA256 | 0e95298b49ce76a4ae7fa2f7671004e1295e138b7557c65c3de3cc1385807acd |
| SHA512 | f5e5646a324eaf803f287c032ac64bfd31d11dbc35b8e75c552ba2a4a23923f2ef381abdcc90fba66ef99fda0310ba7be1e0775f3f64e72fc97fe16b86802618 |
memory/320-91-0x0000000000400000-0x000000000047D000-memory.dmp
memory/956-92-0x0000000000000000-mapping.dmp
memory/1544-93-0x00000000045E0000-0x000000000465D000-memory.dmp
memory/1544-94-0x00000000045E0000-0x000000000465D000-memory.dmp
memory/1544-95-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1544-96-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/1500-97-0x0000000000000000-mapping.dmp
memory/1324-101-0x00000000009C0000-0x0000000000B95000-memory.dmp
memory/1324-108-0x00000000009E800A-mapping.dmp
memory/1324-110-0x00000000009C0000-0x0000000000B95000-memory.dmp
memory/1620-111-0x0000000000000000-mapping.dmp
memory/1520-122-0x0000000000A8800A-mapping.dmp