qulab | 2e46b4136c5556e634f1ceec894c9618198d36711f0bb45cf2aee4d1b54b0b10

General

Target

3d9ae690ce0efb6453b8417a1f2c3fd7.exe
Size

2.1MB
MD5

3d9ae690ce0efb6453b8417a1f2c3fd7
SHA1

e64bf38a98608c4c2159fa03d4df1cdd8696e7ef
SHA256

2e46b4136c5556e634f1ceec894c9618198d36711f0bb45cf2aee4d1b54b0b10
SHA512

2f5b13655c265a4e7d0ba2312b4fab12c7e965fc57f574952c3f84898157defca31609d3eaf474afcb5339bc7d121318fa5403ca0acd47bf9b286d176be90d97
SSDEEP

49152:dh+ZkldoPK8YaEWsLotFKuKQcIgBFKDT4QfV4r:O2cPK8761IgCDH9

Score

10^/10

qulab discovery evasion ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\Information.txt

Family

qulab

Ransom Note

# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 19.12.2023, 17:17:00 Main Information: - OS: Windows 7 X64 / Build: 7601 - UserName: Admin - ComputerName: GLTGRJAG - Processor: Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz - VideoCard: Standard VGA Graphics Adapter - Memory: 2.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 1 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Adobe AIR - Google Chrome - Microsoft Office Professional Plus 2010 - Adobe AIR - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Office Professional Plus 2010 - Microsoft Office Access MUI (English) 2010 - Microsoft Office Excel MUI (English) 2010 - Microsoft Office PowerPoint MUI (English) 2010 - Microsoft Office Publisher MUI (English) 2010 - Microsoft Office Outlook MUI (English) 2010 - Microsoft Office Word MUI (English) 2010 - Microsoft Office Proof (English) 2010 - Microsoft Office Proof (French) 2010 - Microsoft Office Proof (Spanish) 2010 - Microsoft Office Proofing (English) 2010 - Microsoft Office InfoPath MUI (English) 2010 - Microsoft Office Shared MUI (English) 2010 - Microsoft Office OneNote MUI (English) 2010 - Microsoft Office Groove MUI (English) 2010 - Microsoft Office Shared Setup Metadata MUI (English) 2010 - Microsoft Office Access Setup Metadata MUI (English) 2010 - Update for Microsoft .NET Framework 4.7.2 (KB4087364) - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Reader 9 - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - smss.exe / PID: 260 - csrss.exe / PID: 336 - wininit.exe / PID: 388 - csrss.exe / PID: 400 - winlogon.exe / PID: 436 - services.exe / PID: 480 - lsass.exe / PID: 496 - lsm.exe / PID: 504 - svchost.exe / PID: 616 - svchost.exe / PID: 684 - svchost.exe / PID: 768 - svchost.exe / PID: 832 - svchost.exe / PID: 860 - audiodg.exe / PID: 944 - svchost.exe / PID: 1012 - svchost.exe / PID: 356 - spoolsv.exe / PID: 308 - svchost.exe / PID: 1040 - taskhost.exe / PID: 1248 - dwm.exe / PID: 1320 - explorer.exe / PID: 1352 - dllhost.exe / PID: 1980 - svchost.exe / PID: 2268 - sppsvc.exe / PID: 2108 - SSShim.exe / PID: 2356

URLs

http://teleg.run/QulabZ

Signatures

Qulab Stealer & Clipper
Infostealer and clipper created with AutoIt.
stealer qulab
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1648 attrib.exe

pid	process
1648	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.sqlite3.module.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

SSShim.module.exe

pid process

2796 SSShim.module.exe
Loads dropped DLL 4 IoCs

Processes:

SSShim.exe

pid process

2356 SSShim.exe
2356 SSShim.exe
2356 SSShim.exe
2356 SSShim.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2796	SSShim.module.exe

pid	process
2356	SSShim.exe
2356	SSShim.exe
2356	SSShim.exe
2356	SSShim.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.sqlite3.module.dll	upx
\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe	upx
behavioral1/memory/2796-87-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2796-91-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipapi.co
10 ipapi.co

flow	ioc
9	ipapi.co
10	ipapi.co

Drops file in System32 directory 2 IoCs

Processes:

SSShim.exeSSShim.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	SSShim.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\	SSShim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

SSShim.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SSShim.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SSShim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	SSShim.exe

NTFS ADS 2 IoCs

Processes:

3d9ae690ce0efb6453b8417a1f2c3fd7.exeSSShim.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\	3d9ae690ce0efb6453b8417a1f2c3fd7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\winmgmts:\localhost\	SSShim.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SSShim.exe

pid process

2356 SSShim.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3d9ae690ce0efb6453b8417a1f2c3fd7.exe

pid process

2656 3d9ae690ce0efb6453b8417a1f2c3fd7.exe

pid	process
2356	SSShim.exe

pid	process
2656	3d9ae690ce0efb6453b8417a1f2c3fd7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SSShim.module.exe

description	pid	process
Token: SeRestorePrivilege	2796	SSShim.module.exe
Token: 35	2796	SSShim.module.exe
Token: SeSecurityPrivilege	2796	SSShim.module.exe
Token: SeSecurityPrivilege	2796	SSShim.module.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3d9ae690ce0efb6453b8417a1f2c3fd7.exeSSShim.exetaskeng.exe

description	pid	process	target process
PID 2656 wrote to memory of 2356	2656	3d9ae690ce0efb6453b8417a1f2c3fd7.exe	SSShim.exe
PID 2656 wrote to memory of 2356	2656	3d9ae690ce0efb6453b8417a1f2c3fd7.exe	SSShim.exe
PID 2656 wrote to memory of 2356	2656	3d9ae690ce0efb6453b8417a1f2c3fd7.exe	SSShim.exe
PID 2656 wrote to memory of 2356	2656	3d9ae690ce0efb6453b8417a1f2c3fd7.exe	SSShim.exe
PID 2356 wrote to memory of 2796	2356	SSShim.exe	SSShim.module.exe
PID 2356 wrote to memory of 2796	2356	SSShim.exe	SSShim.module.exe
PID 2356 wrote to memory of 2796	2356	SSShim.exe	SSShim.module.exe
PID 2356 wrote to memory of 2796	2356	SSShim.exe	SSShim.module.exe
PID 2420 wrote to memory of 544	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 544	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 544	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 544	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 996	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 996	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 996	2420	taskeng.exe	SSShim.exe
PID 2420 wrote to memory of 996	2420	taskeng.exe	SSShim.exe
PID 2356 wrote to memory of 1648	2356	SSShim.exe	attrib.exe
PID 2356 wrote to memory of 1648	2356	SSShim.exe	attrib.exe
PID 2356 wrote to memory of 1648	2356	SSShim.exe	attrib.exe
PID 2356 wrote to memory of 1648	2356	SSShim.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1648 attrib.exe

pid	process
1648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d9ae690ce0efb6453b8417a1f2c3fd7.exe
"C:\Users\Admin\AppData\Local\Temp\3d9ae690ce0efb6453b8417a1f2c3fd7.exe"
1⤵
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe
    C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\ENU_687FE9771A274C7E9D41.7z" "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\*"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Users\Admin\AppData\Roaming\msil_napsnap.resources"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {DC4C7068-9E96-48B7-BFD1-48519C7352EA} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  2⤵
  - Drops file in System32 directory
  PID:544
- C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.exe
  2⤵
  - Drops file in System32 directory
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1184.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\Information.txt

Filesize
3KB

MD5
ec7f08dc78feec4ae8a9e78b24e82721

SHA1
4335266f9d31067ad00b512cb7502177dacedcb9

SHA256
d201206031d264cc1c2f34a79514e1a338c8e3e20e7883d458c0b9a5d726dc3a

SHA512
24fe4eb6fe2576b6d320ccf8cb20027b515fbf5c374c5490d6f6dced329a6aed52a606f40aabf26df922c9571b04324769407779526b3a9a1760baa0aa9954bb

Download Submit
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\1\Screen.jpg

Filesize
47KB

MD5
00d08b877382588a84b0f985f299b718

SHA1
3c2cbf9dbf16e228d5aff06172c7ac56bfbf267c

SHA256
f61e08cad2a2c3f9bf9e6ed57c33f72cccf449465cb6f52b5c7bae48f931e7b1

SHA512
db69f301ba8f503009b1f26ff82299d9422bf681e7cf5676e71e02e18a90b3e7484bda5900e6401531c0153e996279d3b4602693ad32b4801760b3ef1a5c1719

Download Submit
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe.7

Filesize
197KB

MD5
bde3266064c287f3acbbd36e2f397d1c

SHA1
001f15df928bf9e0d74ae0263b131cda35470d8b

SHA256
59e188fcb29afeaef50adecc9473b8a1dc9b25743e14e0911fef2e9c1e62db76

SHA512
ba0f1c6b5e52c0b0ff7c0bf8637fca16a6f591e0d0807c50aaf904e95788fc6eec169554f1a8cf47a09bb18b8f94b34c2f8cd67d7bfdc7300180f54c79a62d75

Download Submit
C:\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.sqlite3.module.dll.7

Filesize
360KB

MD5
f2613cc54e47166dc40f6b26f74f72f3

SHA1
63f7a6117c80f67697805bcf75c9fb003411039f

SHA256
4cb37237ac6ee8150c83a179858e13abfd619416a62b69acf3bf4e28fd7055bb

SHA512
ffd714f97f2e39da4a391c99fed72fe8e14b59872e15059ac9874a92c2d2cc3860c0ae2f2c108a3cee39c59d51a817882d0fda8ef6f7d1413ced26da5be99fef

Download Submit
\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.module.exe

Filesize
197KB

MD5
946285055913d457fda78a4484266e96

SHA1
668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

SHA256
23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

SHA512
30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

Download Submit
\Users\Admin\AppData\Roaming\msil_napsnap.resources\SSShim.sqlite3.module.dll

Filesize
360KB

MD5
8c127ce55bfbb55eb9a843c693c9f240

SHA1
75c462c935a7ff2c90030c684440d61d48bb1858

SHA256
4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

SHA512
d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

Download Submit
memory/2356-86-0x0000000002A30000-0x0000000002AAD000-memory.dmp

Filesize
500KB

Download
memory/2356-85-0x0000000002A30000-0x0000000002AAD000-memory.dmp

Filesize
500KB

Download
memory/2356-12-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2356-15-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/2356-93-0x0000000002A30000-0x0000000002AAD000-memory.dmp

Filesize
500KB

Download
memory/2356-94-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2356-95-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/2356-96-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2356-97-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2796-87-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2796-91-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads