Prepared by: Jason Trapp, DFIR Analyst| Last update: 10 February 2026
A companion article covers the business impact and security implications for organisational leaders: From Torrented Software to Ransomware
Triskele Labs investigated a ransomware incident where initial access was traced to the installation of a torrented game, resulting in the execution of Guloader on the victim system. Guloader, a malware loader masquerading as 7zip.exe, deployed a VBS script containing a base64-encoded PowerShell payload that retrieved and executed additional code in memory from a command-and-control server.
This activity led to credential compromise and subsequent ransomware deployment within the victim’s organisation. This technical write-up documents the infection chain and artefacts observed, providing defenders with a real-world example of how unmonitored endpoints can enable initial access and downstream impact.
|
Name |
Hash (SHA1) |
|
9Beige.dat |
29d436688f9c4e1a472276bca2a9816cd798ca04 |
|
7zip.exe |
a8292c137894d9683ea7e54047b7ee8a80b19291 |
|
68e0ed9c512a4.vbs |
EC120682FEA225BCC00248759A1FB003F61C7B0B |
|
Bigben.jpg |
4619069e53fe2ae527779bceb2b39b6d1ac29f1e |
|
Image malware |
454f9c01e56d8791e7446a795027845cc338cde9 |
|
Memory malware |
a4d0ac2e28e9c6d1640bc7d76f1e415671b0ea16 |
A recently released game was downloaded from a malicious source and installed from the user’s J drive. This was installed on 04 October 2025 at 13:50.
The downloading of this file was not done on this endpoint and likely came from somewhere else. However, we did observe the asset owner running the setup file on their desktop. A file was created and subsequently removed from the system named avp.exe.
Neither the file nor the hash were able to be collected. Based on the name, this is associated with the anti-virus product Kaspersky and could have been used to disable anti-virus products installed on the victim system using a technique called Bring Your Own Vulnerable Driver.
Figure 1:Creation of avp.exe
Figure 2:Installation of Game
During the installation of the game, the game drops a file called 9Beige.dat toC:\Users\<username>\9Beige.dat, checks if a scheduled task exists that executes regsvr32.exe and contains the exact arguments ‘/s /i“\\?\C:\Users\<username>\9Beige.dat”'. Reviewing the raw data of9Beige.dat it is evident that this file is an executable as the header begins with 4D 5A which is MZ in ASCII, which is the magic header for an executable.
Figure 3:Checks if Scheduled Task Exists
Figure 4:Raw Data of 9Beige.dat
This is followed by the creation of a scheduled task for 9Beige.dat with the name “Firefox BackgroundUpdate163.3.8375.22162.0.8709.86 S-1-5-21-1000-68BA7870” which follows the naming convention of a legitimate Firefox updater. This stood out as Firefox has never been installed on the system and regsvr32.exe is not used to updateFirefox. The scheduled task was scheduled to start and run once at 13:52 and run on a one (1) minute interval.
Figure 5:Scheduled Task for 9Beige.dat
7zip.exe was dropped on the system, however, the exact manner could not be determined due to not having access to the set-up file and not observing 9Beige.dat dropping the file makes it likely that it was dropped by set-up.exe. Whilst the name appears to indicate the compression software, this is actually Guloader posing as 7zip.The metadata, such as file description, product name, copyright, and original file name, masquerade as OpenVPN. Additionally, the logo is of a parrot which is associated with neither. The origin of this logo is not known to the author.
Figure 6:VirusTotal Results for 7zip.exe
Figure 7:7zip.exe (Guloader) Metadata
Figure 8: Execution of Guloader
After the Guloader executable runs, Guloader will drop a Visual Basic Script (VBS) to the directoryC:\Users\<username>\AppData\Local\Temp\IXP001.TMP\68e0ed9c512a4.vbs. The command prompt creates a child process for WScript.exe which runs the script.
Figure 9: 7zip.exe Process Tree
Figure 10: Command Prompt Execution
Figure 11: WScript Execution of VBS Script
This script is used to execute base64 encoded commands which is followed by the script cleaning up after itself. The PowerShell code within the script is encoded in base64 and the majority of the script is held within the variable $ddsdgo. The payloadreplaces the characters ‘d@’ with ‘r’.
Figure 12: Guloader Encoded PowerShell
Figure 13: Guloader PowerShell Decoding and Execution
Once decoded, the PowerShell script is forced to run on TLS 1.2 with the command [Net.ServicePointManager]::SecurityProtocol= [Net.SecurityProtocolType]::Tls12.
A function called DownloadDataFromLinks is defined which is used to iterate over a set of links and downloads the file. In this case the links variable only contained one link which was hxxps[:]//62.60.226[.]168/public_files/test.jpg?12711313 which contained a picture of Big Ben. Appended to the end of the file was a flag which started with <<BASE64_START>> and ended with<<BASE64_END>>.
This base64 command is then parsed to the function [System.Reflection.Assembly]::load(). This function is used to load the $commandBytes variable into the PowerShell processes memory which avoids writing the data to disk. The script then looks up the class named testpowershell.Hoaaaaaasdme which makes $type a reflection handle which will be used to call methods. The method lfsgeddddddda is called to run the filehxxp[:]//62.60.226[.]168/public_files/Bj4bgb[.]txt in memory which is an executable file masquerading as a text file. This is then injected into the program RegAsm.exe, which is a legitimate .NET registration tool.
As the C2 hosts are no longer active, network traffic analysis could not be performed.
Figure 14: Decoded PowerShell Command
Figure 15: Picture of Big Ben with Embedded PowerShell
There was another executable file called xqw.exe being executed shortly after, however, this file could not be recovered. It is possible that the Guloader 7zip file was renamed to xqw.exe.
Figure 16: Unknown File Observed on Endpoint
Guloader cleans up after itself and removes artifacts, in particular Guloader removes the IXP000.TMP folder and by extension the VBS script. This is achieved through the creation of registry keys within RunOnce and FileRenameOperations.
Figure 17: Deletion of IXP000.TMP Folder
Figure 18: Creation of Cleanup RunOnce Registry Key
With C2 established, the ThreatActor would be able to perform actions such as credential harvesting or data exfiltration on the victim system. After being engaged to investigate the ransomware incident, Triskele Labs observed credentials that had previously been posted to the dark web and was indicated to have come from this user’s endpoint. The credentials being dumped occurred between the execution of Guloader and initial access to the corporate environment.
Figure 19: Flow of Incident
Files that could not be examined on the victim system include:
C:\Users\<username>\AppData\Roaming\Avp.exe
I plan on dedicating more time towards performing malware analysis on 9Beige.dat, Guloader, and the memory malware sample.