Malware Analysis Report

2024-09-23 04:57

Sample ID 231224-cjdeeadbcm
Target e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe
SHA256 e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272
Tags
qulab discovery evasion spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272

Threat Level: Known bad

The file e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe was found to be: Known bad.

Malicious Activity Summary

qulab discovery evasion spyware stealer upx

Qulab Stealer & Clipper

Sets file to hidden

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Views/modifies file attributes

Modifies system certificate store

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-24 02:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 02:06

Reported

2023-12-24 02:12

Platform

win7-20231215-en

Max time kernel

60s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2916 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2608 wrote to memory of 2816 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 2728 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 2728 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 2728 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 2728 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 2728 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2728 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2728 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2728 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 2728 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 2728 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 2728 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 2728 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 344 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 344 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 344 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 344 wrote to memory of 1496 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe

"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_c\ENU_687FE97D938BC13E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_c\ABC\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_c"

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {A99A2F44-A7F3-46DC-9794-00F80EE246F9} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
GB 88.221.134.89:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 onlinestores.metaservices.microsoft.com udp
GB 88.221.134.130:80 onlinestores.metaservices.microsoft.com tcp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll.3

MD5 2b11bd827ac4323b96cf8adcdd8e3d54
SHA1 4a170b694a547f4267e714e0195baa9a32338ba9
SHA256 8e9b45ec752dfdf7f2c86a69ee0bb0e0ea9bc73d0c02276b19121f29974f1dbb
SHA512 15f967cad7815fd71eaf3d86e89a6de3cbc0cb36a5c2cd7793d5ccc4c794f13c45fc74a3b311f89edf86819f72b2994209ab17382ab66e62e526b9d26fb7ee80

\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll

MD5 4c7c71f112a1d4ef7488b71a35f8e26f
SHA1 7c33ac66d703026344ddfc46506e41d4a783f626
SHA256 396c09c6290aeebbf994785e634cf8c8917bf2e5b3da37910db13e5b0a13b40e
SHA512 851effc05279aa6d2048316fe3da1f5a9c2d58c915c74121523baf7385db8f43e1588de543e50fd46e3792fed38e17a6ec9e3ca2cdc288b8d786547396f3dd64

memory/2728-15-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/2728-12-0x0000000061E00000-0x0000000061ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nkjuvne.tmp

MD5 25b37a8c6bce274745637bb21baa6b19
SHA1 0271fd093538e6d0b389e4a964449e12853ddf8a
SHA256 d6025a365fcc03c6b5f1f20e08fc8ecc327e385a5821ceeddb60df8c700c0b45
SHA512 340967484a3b250b4c377caed3cf51a7d63b4e1e362c1b2732d7265974995054be921712013a5d10c3972fa4ecf448a51802f186b0d796a78f61532f90357c19

memory/2728-23-0x0000000061E00000-0x0000000061ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp21207.WMC\allservices.xml

MD5 df03e65b8e082f24dab09c57bc9c6241
SHA1 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512 ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

C:\Users\Admin\AppData\Local\Temp\tmp24873.WMC\serviceinfo.xml

MD5 d58da90d6dc51f97cb84dfbffe2b2300
SHA1 5f86b06b992a3146cb698a99932ead57a5ec4666
SHA256 93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA512 7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

memory/2728-42-0x0000000065080000-0x0000000065237000-memory.dmp

memory/2728-41-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2728-54-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/2728-53-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2728-52-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/2728-51-0x00000000027A0000-0x00000000027A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB752.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarB764.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe.3

MD5 1f8044b1008b5d23d7bc7aba14f87a7d
SHA1 455987e9bdb83d371ea21b577228ecb3c563cb38
SHA256 3b50d7eba0f50d118c95efd8de04443084a8ca3dcd5a5719df23c87640adb44a
SHA512 a89b2e082625ee3001ec2cb407aaee80effd73232d1ac9ad363f24bee0b8d0e38815e61ea589b02587980fa156216c1507cd425a745528c2ebc604c75bea0885

\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1864-129-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\UnprotectSplit.pdf

MD5 e41954c60361dc946b9184651b9ab327
SHA1 98115f7bb35f3d2599a6dc80d608ea6c5b61b36f
SHA256 fd0de2c88dddb7ef730afadf704071e4c5841485cd6f4164303f0ebd6d361225
SHA512 374c015369dd364417310067051551ce1c5b60f865d13743456d37fe4cab8c6884a6ce99708b1a3ce7fa8f22df545521cfaeb4c4c90882f92025bd29a9adfd64

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Screen.jpg

MD5 5f9d9f79a408922567e5b76ac4505010
SHA1 cf9528521611fde451eedb7316f4cc1949f1222d
SHA256 994b75f31e98f40c0af732d5cc153b20764ef8617ad1fdc4af637e29c79df056
SHA512 483fe1632b7b7869c319bda57eb9240a524f53acbcbc75c25bdcfacadfc799976170d33618688ae98973efa159aa041b2b2b8594a992c1cd38722fd7efe13914

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Information.txt

MD5 67a45e7be3799e3d965346bf7887517c
SHA1 4dbd387ea8aecdd14307a25086fd0cc3217b96e0
SHA256 cc056ca0811e451439edb18340abd4d6904dad5bb39db54e4d118ad01140c0de
SHA512 7560f6ef5c41e075c215792550cc34f9cd30953d99f35b9fc8f4737788dcc47929fdbd3088b99a7487b99db07f61f4a5c894eb6a9484c24d197062fdbbbf30d8

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\CompressConvertFrom.doc

MD5 22841a4f150ce0cf52cc8fc5533bdef3
SHA1 186a350c4c02d9ec63755c5458b93587bbb33a20
SHA256 ed13b13789541e09077b86bebb4e6da5e6b10a6e5183d436d2c6659d87794208
SHA512 404b0fb201f2c2cab7a788553733bd5d9a578b54cd9f37140ca6fee2d30c27250e92204fdae5e328523642745918cba022eb3b9a7618c46aa9b32872e75e0894

memory/2728-128-0x00000000070B0000-0x000000000712D000-memory.dmp

memory/1864-140-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2728-127-0x00000000070B0000-0x000000000712D000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\E

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

memory/1444-145-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/2728-146-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 02:06

Reported

2023-12-24 02:14

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\amd64_c\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 1544 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 1544 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4996 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 4996 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 4996 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe
PID 4996 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4996 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4996 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4996 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 4996 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 4996 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Windows\SysWOW64\attrib.exe
PID 4904 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4904 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe
PID 4904 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe

"C:\Users\Admin\AppData\Local\Temp\e2115a42e4ef267a4484cbb5cd342ea5d12b26f93fb76f6ba92eed12129dd272.exe"

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_c\ENU_801FE97BE7B671AE9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_c\ABC\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_c"

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 3124

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 ipapi.co udp
US 172.67.69.226:443 ipapi.co tcp
US 8.8.8.8:53 226.69.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\aut6273.tmp

MD5 2b11bd827ac4323b96cf8adcdd8e3d54
SHA1 4a170b694a547f4267e714e0195baa9a32338ba9
SHA256 8e9b45ec752dfdf7f2c86a69ee0bb0e0ea9bc73d0c02276b19121f29974f1dbb
SHA512 15f967cad7815fd71eaf3d86e89a6de3cbc0cb36a5c2cd7793d5ccc4c794f13c45fc74a3b311f89edf86819f72b2994209ab17382ab66e62e526b9d26fb7ee80

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll

MD5 14c0972d841002002d2ffdcfe7e35f71
SHA1 f9615ff97738240e1596d6894b40493dd364113a
SHA256 6c3079ee41b377984c6f2c35f116241d607fd252920ff82f8d2559b9f133856d
SHA512 96acfe4ed5953b9ddf285c3c1f26bf5cf1180c8a559105c497b0ab18418048351af7784c64d5a90f1a7a8264ba78d593a639b0df38f59bee5e2b550bf4c9295c

memory/4996-13-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4996-16-0x0000000061E00000-0x0000000061ED2000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Local\Temp\~dqrjsol.tmp

MD5 21509c1306314862e3d0d015cdc1477f
SHA1 380861e237895663b91bff5cb99345b581896358
SHA256 b49c88e727629802e5e8e065fa8a3f66cb6fe0874c3c0ea27f19b0f9dd5e43c2
SHA512 674fd90d59a39a54a87fbceb2a082336116634a88d3167a4686921934c804bb2228a11b49233fd0849125cb0e8055ae80d3f8d6de0519ac0428d8e318c769b1d

memory/4996-27-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/4996-25-0x0000000065080000-0x0000000065237000-memory.dmp

memory/4996-36-0x0000000017B00000-0x0000000017B01000-memory.dmp

memory/4996-37-0x0000000017AF0000-0x0000000017AF1000-memory.dmp

memory/4996-38-0x0000000017B10000-0x0000000017B11000-memory.dmp

memory/4996-35-0x0000000017AE0000-0x0000000017AE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe.3

MD5 1f8044b1008b5d23d7bc7aba14f87a7d
SHA1 455987e9bdb83d371ea21b577228ecb3c563cb38
SHA256 3b50d7eba0f50d118c95efd8de04443084a8ca3dcd5a5719df23c87640adb44a
SHA512 a89b2e082625ee3001ec2cb407aaee80effd73232d1ac9ad363f24bee0b8d0e38815e61ea589b02587980fa156216c1507cd425a745528c2ebc604c75bea0885

C:\Users\Admin\AppData\Roaming\amd64_c\KBDRU.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/1432-62-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\EnterUnblock.docx

MD5 d196c1f2f7cecf048e65e3766e68cd27
SHA1 0bf92b11c89b83dabe40aae0103836ee7e0b5cf8
SHA256 5daac90b20ad504185791222d91b216beeacb0f982804213e49cc117e1540277
SHA512 f448b99cd8e9229e7eaea26b19f6cb258b450c91ef3d81d27ba784745cd0b9337fdf4892a6e9737f24e848e397c669006aaefcaaf79270772efe11313dbe9aa7

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Screen.jpg

MD5 39a75eec06471cae3b6a759b367d0c50
SHA1 aefbe6d433901e2199a0c3bf1ac06f7a27389eba
SHA256 cfad377b49d0462ef84343a8ada0177865ce63df0b118f4513db2058e1a8d098
SHA512 d6db2dc93086d27c8074cb28e68aaafd0abcf4095edbbfba06065ecba89752ac5a0ece686f24bfcb96283a8e04ca7044bbe2784aaef7324941c3a1a16da4c9f7

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Information.txt

MD5 45dd544a8228adaee404402f3f700804
SHA1 75d7ddd8866a1cfa1f0a5026188a4dccee62a48b
SHA256 48be0a94f54b0bcd22b3929fa7db1f0335e2d37122761f65e53fc6c51ceedcd4
SHA512 702706c016d727f83b58f787c724d9d126542e696a0c768200569ffdfde8888ce0edd7ae37586b90a31cb1cdb65dcf93483403ea2252650946e460c2ac2c5189

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\amd64_c\ABC\Desktop TXT Files\ts\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

memory/1432-73-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\AppData\Roaming\amd64_c\E

MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA512 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

memory/3472-86-0x0000000004130000-0x0000000004131000-memory.dmp

memory/3472-87-0x0000000004150000-0x0000000004151000-memory.dmp

memory/3472-89-0x0000000004160000-0x0000000004161000-memory.dmp

memory/3472-88-0x0000000004140000-0x0000000004141000-memory.dmp

memory/4996-90-0x0000000061E00000-0x0000000061ED2000-memory.dmp

memory/4996-91-0x00000000041F0000-0x00000000041F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 8f978e693392c72946020dded1d32349
SHA1 13f85c4e9a817bbf9842fa42a7a0817dd6e49ce0
SHA256 92722b0d98cb8199619b702f43c39c93b8ff7640bea7be3087328ae748a23870
SHA512 6c7423a7cf291780b516173235a6cab4d65bf2b5d674cdfa3c362cb7a56f3533530a0cef5d3c13345f5b215430bda67ada298cbe8ba363762b657ccbd7f2672c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A0E67F3F72679DC8EF1F04D13A5B779_5DB5152ADADE9B60A5DDA0E2DEAA7549

MD5 2c955be05e97fe3b9a837049f04def6a
SHA1 86ec861e7df94920bca4d0d5ece5d6309f5805b3
SHA256 4bb142816923152930c11a006c90ad99abbc532baf0536cc881d0b3d9673b6e4
SHA512 5385533083a940b9782dd8d0da5fcd69975af4ab2b7b2a51286b7266cb8cb761508bbb7a11047048701605f15ac1704e67a3d33fa6b02437ec9ff1e88e3a2515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 13d08eefa7e9ac0e758212659a090d83
SHA1 0aafde37165d310664c2c416a42c16ae2082be71
SHA256 f9e1f27031ec344b0403395369661e4796e403e7a0fbb4c0709ad3c2f81fb6b8
SHA512 e306f0f014eeb7f0fb76ebf2e19cd9be6e5f4a58282de15787453791e86979921f0a955e8d28c7d55750138889a54873d907160ca432b30256656ae4fa26baa7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 3141827734b9216b9c969a61c6535bc5
SHA1 b9ce8fb1a23eb4bdb64adac1b91368a815122fb5
SHA256 7b5442faa19c00d80e9d6d3c7cf5ca62842ec6185534cd161ed825ec4f51bcfa
SHA512 ff860f8d02ae2ab31474e11f3d6c8d0c7acbe0024972364b078a3df3659afe3ab8fa08325852a56e8119c3ad27f9a6767ea6d9ddd4db1b4b882228e92ecee740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A0E67F3F72679DC8EF1F04D13A5B779_5DB5152ADADE9B60A5DDA0E2DEAA7549

MD5 ecbc9f772a8da2daf5e6c91030441753
SHA1 d9526f45a821b779805f988e1904bda15eea06c4
SHA256 a1a2d10a9f087ba6bafcfc98be64e7f194bc1f937c1c12da95e24054acafc747
SHA512 43a2f5bf5817f9f34410c0777bb56e54ba3e7c7b4ef275f5f84355ef4b7fbca1a327b1e295214b02b4ba43490e597937b3d4fb77da239ae68edf7a95ba799d52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 82e99ff1e05dddaef2b2c9ff59081493
SHA1 c4d4906fa5cdd83cd36e05a9c745092cbcf48314
SHA256 09b56e50fbb20e7e89213073f816a29d6ef914a63162b71c7a488ea7af6f1eb5
SHA512 3d9b9de726965bee51a10468d3d2065457bbc794c91a79f0487a78881a4793661efd4bbe50f65eac96498d5f81034dd6e0f5fb199f476463ff1464d01114ebdf