Malware Analysis Report

2024-09-23 04:57

Sample ID 220720-tcn11aaac7
Target 4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc
SHA256 4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc
Tags
qulab discovery evasion ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc

Threat Level: Known bad

The file 4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

UPX packed file

Sets file to hidden

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Views/modifies file attributes

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-20 15:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-20 15:54

Reported

2022-07-20 16:43

Platform

win7-20220718-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 880 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1924 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 1924 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 1924 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 1924 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 1708 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1924 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 1924 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 1924 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 1924 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 1708 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1708 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe

"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\ENU_687FE97C395F5A4E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\*"

C:\Windows\system32\taskeng.exe

taskeng.exe {0DDBAD92-38D0-4C8C-8E6A-CF2DCE0EEDB5} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipapi.co udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.69.226:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
UA 217.147.169.126:80 tcp
UA 217.147.169.126:80 tcp

Files

memory/880-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

memory/1924-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/1924-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1336-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1924-64-0x00000000053B0000-0x000000000542D000-memory.dmp

memory/1336-65-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Information.txt

MD5 51b376c55abb61cb02304f25089b5a0f
SHA1 ad42c74a4d2a1747ea2aae87ed485840d1fbf2c4
SHA256 501c10bf94df97ead371cb44cebea8df4c46b24a360515fd0421eb4294c2ec3e
SHA512 d06ba5b0d006776cb3f9cf7f937c1e5dca08f90a35e29c67af85ebce8f8a2c0bc96d4f33dab28beba6070269cd0cebbcd8af6490149d866d0464b338fc4b5c7c

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Screen.jpg

MD5 3fecaeb4fcc595281885752f801a833d
SHA1 d46ac15cb810c154b5a8e92ddb02b583d391f568
SHA256 477dc4eba79e2cc6805eb66d1295d3c995da07527d328bf59931194490cfde52
SHA512 8cc4c412f01fb38246e081fc13b78a05c65e8274206b3565c35d06cd7db252ca9d4fb25bbb76e7571a81d886c0739ceb96a61c085cd629b37b7a702e0f46a40e

memory/1336-68-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1924-69-0x00000000053B0000-0x000000000542D000-memory.dmp

memory/1924-70-0x00000000053B0000-0x000000000542D000-memory.dmp

memory/1904-71-0x0000000000000000-mapping.dmp

memory/1944-73-0x0000000000000000-mapping.dmp

memory/1032-74-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-20 15:54

Reported

2022-07-20 16:42

Platform

win10v2004-20220414-en

Max time kernel

123s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 1736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe
PID 2976 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 2976 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 2976 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe
PID 2976 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 2976 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe
PID 2976 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe

"C:\Users\Admin\AppData\Local\Temp\4ef95b648698b364dca472ebf7ef0a4cdc18bfbb516eb857b90e52dcd32a4cfc.exe"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\ENU_801FE970A758A6AE9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources"

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
UA 217.147.169.126:80 tcp
NL 88.221.144.179:80 tcp
US 20.42.73.25:443 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp

Files

memory/2976-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

memory/2976-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2976-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2032-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/2032-137-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\VoipRT.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Information.txt

MD5 94b8a755a7df8c1ebe5ba2ebacca78a4
SHA1 f57f43cac65be1de8b9c4be542edcabf5e7bb2c9
SHA256 e794a75c4e3c7be6e12865d54e3c4fac1ea26427e2c40e7a3a2ddef267b91279
SHA512 1dfced25c12ef6835f864dfbda7a716b669b629c9530407d78eb74b9e72e65c19ac5607b74ad24bd58a42075bca44302be0855bd71a139fbd1ccf3423bbe5047

C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-rastls.resources\1\Screen.jpg

MD5 c56ba2d80377f1c7e73c237fc620d79f
SHA1 cdd59a6d1a1a4c474c19f1bacc289ca295179088
SHA256 3c702a915ec35a6ce85b31316704a6bf55d6c782da0f96754bd04c21194f2767
SHA512 50d7c16ac7a0cf5c0104e528771e8853d4c3190f1a8860c30a9c647fe5d0a2e5e9d3178a5b7993e67a7995088778c4e9a129cf35bed228cfebfde48efbe7490a

memory/2032-141-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2976-142-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2976-143-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2484-144-0x0000000000000000-mapping.dmp