Malware Analysis Report

2024-09-23 04:45

Sample ID 220625-g1e2sahaem
Target 3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351
SHA256 3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351

Threat Level: Known bad

The file 3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351 was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Sets file to hidden

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-06-25 06:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 06:16

Reported

2022-06-25 07:26

Platform

win7-20220414-en

Max time kernel

126s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1040 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1700 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2040 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 2040 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 2040 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 2040 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 2040 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 2040 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 2040 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 2040 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 1036 wrote to memory of 1340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 1340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 1340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 1340 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1340 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 1036 wrote to memory of 2000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2000 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"

C:\Windows\system32\taskeng.exe

taskeng.exe {441ED35D-117B-454F-839F-42123461DFB9} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1040-54-0x0000000076811000-0x0000000076813000-memory.dmp

memory/1460-55-0x00000000000C0000-0x0000000000295000-memory.dmp

memory/1460-57-0x00000000000C0000-0x0000000000295000-memory.dmp

memory/1460-64-0x00000000000E800A-mapping.dmp

memory/1460-66-0x00000000000C0000-0x0000000000295000-memory.dmp

memory/1700-67-0x0000000000000000-mapping.dmp

memory/2040-71-0x0000000000780000-0x0000000000955000-memory.dmp

memory/2040-78-0x00000000007A800A-mapping.dmp

memory/2040-80-0x0000000000780000-0x0000000000955000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2040-84-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2040-83-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2040-85-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2040-86-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1916-89-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt

MD5 be653cc67df80bdeee409aecddc1876f
SHA1 b38071652663b4c065608e618d07c661c055bfe8
SHA256 1d55e5d948db45e6524f672c85ea59174f1246f136d8c67ec7ae6b005abf401c
SHA512 7d9af2270fce1756e0a4a7b78091ec68ae5b1e7ba949dab6196a7cb8d9e2f59caa81ded7980377ed23d753c02824e5afca95097dc19c20816ed1af678daee1b8

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg

MD5 ce599b0766239e284bb7c9f2ffb2e805
SHA1 dfbcf08713734cc5fca7e517821da338b9070e2d
SHA256 7d7f531b2048e62fb029cb9b2de8e826258412608101f1fab6f5b6e59274c089
SHA512 7bc4aec2621db42c1cc2776b6190736d4823494c74c609eb7908e6f01482259a04587b7099c25a0726a69bdd17019c3d94d0016e0f7dc5fac2bb06089ced26e0

memory/1916-93-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2040-94-0x0000000003F20000-0x0000000003F9D000-memory.dmp

memory/2040-95-0x0000000003F20000-0x0000000003F9D000-memory.dmp

memory/1284-96-0x0000000000000000-mapping.dmp

memory/2040-97-0x0000000003F20000-0x0000000003F9D000-memory.dmp

memory/1340-98-0x0000000000000000-mapping.dmp

memory/1564-102-0x0000000000630000-0x0000000000805000-memory.dmp

memory/1564-109-0x000000000065800A-mapping.dmp

memory/1564-111-0x0000000000630000-0x0000000000805000-memory.dmp

memory/2000-112-0x0000000000000000-mapping.dmp

memory/1460-116-0x0000000000650000-0x0000000000825000-memory.dmp

memory/1460-123-0x000000000067800A-mapping.dmp

memory/1460-125-0x0000000000650000-0x0000000000825000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 06:16

Reported

2022-06-25 07:27

Platform

win10v2004-20220414-en

Max time kernel

161s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 2432 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 2432 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 2432 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 2432 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe
PID 3400 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3400 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3400 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2624 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2624 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2624 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2624 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 2624 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 4028 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 4028 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 4028 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe
PID 4028 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 4028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Windows\SysWOW64\attrib.exe
PID 5088 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 5088 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 5088 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 5088 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 5088 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3924 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3924 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3924 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3924 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe
PID 3924 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe

"C:\Users\Admin\AppData\Local\Temp\3a3633855b011a80de5031fcd679c79429ea12cdbc410e91fe37e81fd69c1351.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\ENU_801FE97C5F89A74E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe

"C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 crl.godaddy.com udp
US 192.124.249.36:80 crl.godaddy.com tcp
US 192.124.249.41:80 crl.godaddy.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 13.107.4.50:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3400-130-0x0000000000000000-mapping.dmp

memory/3400-131-0x0000000000E90000-0x0000000001065000-memory.dmp

memory/3400-138-0x0000000000E90000-0x0000000001065000-memory.dmp

memory/2624-139-0x0000000000000000-mapping.dmp

memory/4028-140-0x0000000000000000-mapping.dmp

memory/4028-141-0x0000000001600000-0x00000000017D5000-memory.dmp

memory/4028-148-0x0000000001600000-0x00000000017D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/4028-151-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4028-152-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4028-153-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4028-154-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/3468-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/3468-157-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\NAPHLPR.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Information.txt

MD5 b354f4b983452d3ac259b4e5ec201cc9
SHA1 eebbd9056fe97b9a49ce01507480f4616a62a6ed
SHA256 3acf4ccf081929bcc08a0e5272ab2e2f60f851a2aaf5a67c92683ecedc82614a
SHA512 1f3624a8b7fa9a9635862e8851e9e3ca491af160a49587294c83a2969be51f143132b00768f52f45bed3d979bd9f053fe6ea169c3a8681efc70f578cb69c565b

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-t..ty-client.resources\1\Screen.jpg

MD5 12bfa7d9ecd0f5259f7d78e2b2b5d688
SHA1 b87916e832e2f2a05b6ad5191360963ee3b7004c
SHA256 6a3d10f86d3dd982c41922a969800cf251a661abedffa76bd4a87f1b16132b32
SHA512 ec690972d383167077ffaed375919306debaa739adfca7fbeb22b4db327ae1a8b66408189120714781c1c309eedd8358baf897c43fe51738304297391e3b9356

memory/3468-161-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1828-162-0x0000000000000000-mapping.dmp

memory/316-163-0x0000000000000000-mapping.dmp

memory/2492-164-0x0000000000000000-mapping.dmp

memory/1624-165-0x0000000000000000-mapping.dmp

memory/1624-173-0x0000000000E90000-0x0000000001065000-memory.dmp

memory/2840-174-0x0000000000000000-mapping.dmp

memory/2840-182-0x0000000001600000-0x00000000017D5000-memory.dmp