qulab | 829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e

General

Target

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
Size

2.0MB
MD5

3d9eb095d2972bde3181d98d31dabbb2
SHA1

8983da6d2e8ed54bf039d0d4be70619945a87635
SHA256

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e
SHA512

20d6a862cdafd6cbf8d790d7640106b1d4ac70a46adbe95ff176f0fbde823ee93693c6f881085a727f1120e9ea5c552652f78b02007debf8623c6a84a7abcc12
SSDEEP

49152:uh+ZkldoPK8Ya7W/JN6MHUXobM38O5tj+fm4na/tJExr4oQtI3:n2cPK8VXb8UUfPoJE9

Score

10^/10

qulab discovery evasion ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 29.01.2023, 17:30:15 OS: Windows 7 X64 / Build: 7601 UserName: Admin ComputerName: VUIIVLGQ Processor: Intel Core Processor (Broadwell) VideoCard: Standard VGA Graphics Adapter Memory: 2.00 Gb KeyBoard Layout ID: 00000409 Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 332 - wininit.exe / PID: 368 - csrss.exe / PID: 380 - winlogon.exe / PID: 416 - services.exe / PID: 460 - lsass.exe / PID: 476 - lsm.exe / PID: 484 - svchost.exe / PID: 600 - svchost.exe / PID: 676 - svchost.exe / PID: 752 - svchost.exe / PID: 804 - svchost.exe / PID: 844 - svchost.exe / PID: 880 - svchost.exe / PID: 280 - spoolsv.exe / PID: 324 - svchost.exe / PID: 1040 - taskhost.exe / PID: 1160 - dwm.exe / PID: 1240 - explorer.exe / PID: 1300 - svchost.exe / PID: 1780 - sppsvc.exe / PID: 760 - WMIADAP.exe / PID: 1972 - WmiPrvSE.exe / PID: 1948 - taskeng.exe / PID: 468 - MMDevAPI.exe / PID: 1480

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	acprotect
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

MMDevAPI.module.exe

pid process

2012 MMDevAPI.module.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1588 attrib.exe

pid	process
2012	MMDevAPI.module.exe

pid	process
1588	attrib.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe	upx
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe	upx
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe	upx
behavioral1/memory/2012-69-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

MMDevAPI.exe

pid process

1480 MMDevAPI.exe
1480 MMDevAPI.exe
1480 MMDevAPI.exe
1480 MMDevAPI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipapi.co
7 ipapi.co

pid	process
1480	MMDevAPI.exe
1480	MMDevAPI.exe
1480	MMDevAPI.exe
1480	MMDevAPI.exe

flow	ioc
4	ipapi.co
7	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

MMDevAPI.exeMMDevAPI.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	MMDevAPI.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	MMDevAPI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

MMDevAPI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MMDevAPI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MMDevAPI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MMDevAPI.exe

NTFS ADS 2 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exeMMDevAPI.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\winmgmts:\localhost\	MMDevAPI.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MMDevAPI.exe

pid process

1480 MMDevAPI.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

pid process

1728 829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

pid	process
1480	MMDevAPI.exe

pid	process
1728	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MMDevAPI.module.exe

description	pid	process
Token: SeRestorePrivilege	2012	MMDevAPI.module.exe
Token: 35	2012	MMDevAPI.module.exe
Token: SeSecurityPrivilege	2012	MMDevAPI.module.exe
Token: SeSecurityPrivilege	2012	MMDevAPI.module.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exetaskeng.exeMMDevAPI.exe

description	pid	process	target process
PID 1728 wrote to memory of 1136	1728	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 1728 wrote to memory of 1136	1728	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 1728 wrote to memory of 1136	1728	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 1728 wrote to memory of 1136	1728	829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe	MMDevAPI.exe
PID 468 wrote to memory of 1480	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1480	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1480	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1480	468	taskeng.exe	MMDevAPI.exe
PID 1480 wrote to memory of 2012	1480	MMDevAPI.exe	MMDevAPI.module.exe
PID 1480 wrote to memory of 2012	1480	MMDevAPI.exe	MMDevAPI.module.exe
PID 1480 wrote to memory of 2012	1480	MMDevAPI.exe	MMDevAPI.module.exe
PID 1480 wrote to memory of 2012	1480	MMDevAPI.exe	MMDevAPI.module.exe
PID 1480 wrote to memory of 1588	1480	MMDevAPI.exe	attrib.exe
PID 1480 wrote to memory of 1588	1480	MMDevAPI.exe	attrib.exe
PID 1480 wrote to memory of 1588	1480	MMDevAPI.exe	attrib.exe
PID 1480 wrote to memory of 1588	1480	MMDevAPI.exe	attrib.exe
PID 468 wrote to memory of 1952	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1952	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1952	468	taskeng.exe	MMDevAPI.exe
PID 468 wrote to memory of 1952	468	taskeng.exe	MMDevAPI.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1588 attrib.exe

pid	process
1588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe
"C:\Users\Admin\AppData\Local\Temp\829874ef38082046c3a0f119c51cd1cd236efd73b52860f438b694baf9bba55e.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  2⤵
  - NTFS ADS
  PID:1136

C:\Windows\system32\taskeng.exe
taskeng.exe {F35E8A2E-211B-4D8F-8423-754BFCCC0FF1} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe
    C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\ENU_687FE9717C69956E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1588
- C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.exe
  2⤵
  - Drops file in System32 directory
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Information.txt

Filesize
3KB

MD5
7119b97248ebff7b82a7dbf7ff78a743

SHA1
9e37c76ba20d521fbfff9e53bf12a84ac11483aa

SHA256
4e29aeb5cb9bb894eeca7df4669e3c172bc0f4b9196f0e88fcfa5c528367a778

SHA512
c39227c43b8a7f436c00dfb506f47b22e0a460b945fae15cc49bf3cfbdd0de99fd6fa7e7c213af3d85af3420fc802661655401b93a4d0fd6f5d524b991b66bdd

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\1\Screen.jpg

Filesize
41KB

MD5
4be4b90bbdaa15d783a9d12cb8b22410

SHA1
fcfc0c882c444b7a41e9bc9a84ef93e65cf0f6b9

SHA256
243d761779aa9fa6b1d3672f7c840036926115462a644cef9ac9620dfe93bd92

SHA512
3de90763d37106fe9e300f6cfdacec56f82e4693462ded4c9f5bac55a9c87c995ce2436615246d2609a34fda4491f6fd0d851d96315e5cb980e60956ca1f447e

Download Submit
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe

Filesize
197KB

MD5
51942faf8ad170cbffbf73c3ee0d2487

SHA1
7acc325f4b6fe6a14350636f08d2ac88ff478814

SHA256
2c2bf05d3dcb37856d36a2fc13cf56363a3ad962c265a46ecd29c289125f421e

SHA512
0e2b6455e5108c08dfd714443bfb347627dd8479033c3ae4aac2aa06fab22148439c58c04c8d6085a36a1372d5e76f322ce3c1aaca1da5cac0c5c9f630c1882e

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe

Filesize
197KB

MD5
51942faf8ad170cbffbf73c3ee0d2487

SHA1
7acc325f4b6fe6a14350636f08d2ac88ff478814

SHA256
2c2bf05d3dcb37856d36a2fc13cf56363a3ad962c265a46ecd29c289125f421e

SHA512
0e2b6455e5108c08dfd714443bfb347627dd8479033c3ae4aac2aa06fab22148439c58c04c8d6085a36a1372d5e76f322ce3c1aaca1da5cac0c5c9f630c1882e

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.module.exe

Filesize
197KB

MD5
51942faf8ad170cbffbf73c3ee0d2487

SHA1
7acc325f4b6fe6a14350636f08d2ac88ff478814

SHA256
2c2bf05d3dcb37856d36a2fc13cf56363a3ad962c265a46ecd29c289125f421e

SHA512
0e2b6455e5108c08dfd714443bfb347627dd8479033c3ae4aac2aa06fab22148439c58c04c8d6085a36a1372d5e76f322ce3c1aaca1da5cac0c5c9f630c1882e

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll

Filesize
360KB

MD5
42923a2f6d29a7b23207f0691b2f6c94

SHA1
ce0cdffe4266464aeed9c912b80d186bf8b71871

SHA256
f0a4c7a420b415e1e17fee1905aa3e99721ff5c48594a0f62fdf33469acf7bd6

SHA512
7f344b2b0fa11070333fcd1eec39c7f68df3cab91e874e2d23b3956cc5918fe962be07cddaeb4afffb4c1978cd2a920d99b425a1a922dbb0c723ab148789c8d2

Download Submit
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..nalservices-runtime\MMDevAPI.sqlite3.module.dll

Filesize
360KB

MD5
42923a2f6d29a7b23207f0691b2f6c94

SHA1
ce0cdffe4266464aeed9c912b80d186bf8b71871

SHA256
f0a4c7a420b415e1e17fee1905aa3e99721ff5c48594a0f62fdf33469acf7bd6

SHA512
7f344b2b0fa11070333fcd1eec39c7f68df3cab91e874e2d23b3956cc5918fe962be07cddaeb4afffb4c1978cd2a920d99b425a1a922dbb0c723ab148789c8d2

Download Submit
memory/1136-55-0x0000000000000000-mapping.dmp

Download
memory/1480-62-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1480-57-0x0000000000000000-mapping.dmp

Download
memory/1480-61-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1480-70-0x0000000004BC0000-0x0000000004C3D000-memory.dmp

Filesize
500KB

Download
memory/1588-71-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1952-72-0x0000000000000000-mapping.dmp

Download
memory/2012-65-0x0000000000000000-mapping.dmp

Download
memory/2012-69-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads