Analysis Overview
SHA256
dc71309d185aa1c39ae1ce97daab077bdb1f9ca1617e2fccd741d15a9be8648b
Threat Level: Known bad
The file Worship.zip was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
RedLine
Djvu Ransomware
Lumma Stealer, LummaC
RedLine payload
Credentials from Password Stores: Credentials from Web Browsers
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Power Settings
Looks up external IP address via web service
System Binary Proxy Execution: Verclsid
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Launches sc.exe
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies system certificate store
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-02 19:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-02 19:12
Reported
2024-09-02 19:18
Platform
win7-20240708-en
Max time kernel
298s
Max time network
299s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2e348701-bad8-4ce5-88bd-01049c8e5222\\cxr20XMewyeALwN4CoQgbAzd.exe\" --AutoStart" | C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
System Binary Proxy Execution: Verclsid
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\verclsid.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminCAFBGHIDBG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminEBGDHJECFC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Worship\Worship.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Worship.zip
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
C:\Users\Admin\Documents\Worship\Worship.pif
"C:\Users\Admin\Documents\Worship\Worship.pif" C:\Users\Admin\DOCUME~1\Worship\y
C:\Users\Admin\Documents\Worship\Worship.pif
C:\Users\Admin\Documents\Worship\Worship.pif
C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp" /SL5="$50228,3518631,54272,C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
"C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2e348701-bad8-4ce5-88bd-01049c8e5222" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
"C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
"C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBGDHJECFC.exe"
C:\Users\AdminEBGDHJECFC.exe
"C:\Users\AdminEBGDHJECFC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAFBGHIDBG.exe"
C:\Users\AdminCAFBGHIDBG.exe
"C:\Users\AdminCAFBGHIDBG.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AFBKKFBAEGDH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pxHPmOWWWZs.pxHPmOWWWZs | udp |
| NL | 62.133.61.172:80 | 62.133.61.172 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| NL | 62.133.61.172:80 | 62.133.61.172 | tcp |
| US | 8.8.8.8:53 | 240902180529931.tyr.zont16.com | udp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 8.8.8.8:53 | prodesarrolloapurimac.pe | udp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 176.111.174.109:80 | 176.111.174.109 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CA | 51.222.104.23:80 | prodesarrolloapurimac.pe | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| CH | 179.43.188.227:80 | 240902180529931.tyr.zont16.com | tcp |
| US | 76.76.21.164:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:443 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.164:443 | file-link-iota.vercel.app | tcp |
| CA | 51.222.104.23:443 | prodesarrolloapurimac.pe | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.247.162:443 | steamcommunity.com | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| DE | 147.45.47.36:30035 | tcp | |
| US | 8.8.8.8:53 | cajgtus.com | udp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| KR | 125.7.253.10:80 | cajgtus.com | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 188.114.97.0:443 | locatedblsoqp.shop | tcp |
| DE | 116.203.6.46:443 | 116.203.6.46 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.247.162:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.71:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | gacan.zapto.org | udp |
| RU | 45.132.206.251:80 | gacan.zapto.org | tcp |
Files
memory/2776-0-0x0000000076FA0000-0x0000000077076000-memory.dmp
memory/2776-1-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/2664-2-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-3-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-4-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-7-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-12-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-5-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-6-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-13-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-17-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-16-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-15-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-14-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-11-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-10-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-9-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-8-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-21-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-22-0x0000000000670000-0x000000000084F000-memory.dmp
C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
| MD5 | 8e0ae87939388dfd7d6470bdd397b309 |
| SHA1 | 3af328c5c81fe77ab5d74cc97866e03490e5d080 |
| SHA256 | 5ed77020f0296739fb5b4ef5133bbdd84a0c8f69ac71cec490343b26dd066c4d |
| SHA512 | d3cfb86296b49744ac9a89b6a4a402e44a3d65c137a4a1f814c698001a2c609f0c7ce9fadd483511f6ec43811a5f81bd145dd1899be728ed3d7a9b3e0bf9a756 |
C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
| MD5 | 8cb57865f3a9a465a2b06c7cfad880d8 |
| SHA1 | 27ec8d1902fbbf1035a60d2d58436f759e02f50f |
| SHA256 | 4cbe05e05abdc4e781d990fe7addeae545ee9b598ea5620a8b2f8de4a2d1e3dc |
| SHA512 | 6832766a41f8bbde588d9d55c250c3090646b11d5cad45fcb5c22e37a29d424e8680657064b4ebbfa250f4fef50118496451c6ce819db0ecda7f21f723df4bc8 |
C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
| MD5 | f88b5bbdd03e0467d18e6f436ab2683c |
| SHA1 | dd9300fc17bfd44c08e5995ebc772a6d3d32170d |
| SHA256 | 507c4f043a45ee6897ef1ceedbc1df125afd88c5a850a61b8a62d2d3a81a8d21 |
| SHA512 | c7c0cf8f07d916af26f797dce7ddc9b501265ce61d356753b37c377e8e796ee3e0798923da6013ac29c3f90ae0db1b7483eff911364b0ff0ee946a612c738590 |
C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
| MD5 | 9d1e5520a634731ed9747be9e9af7c5d |
| SHA1 | 6bc547c7e26073f71be0017e29c8702ddea2fc11 |
| SHA256 | 90c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36 |
| SHA512 | 3cc597e4b451252361707740fe58ea18ff8734a9adad48458760518d1828beb55bd0ddb080daf7c1a29cda462b7cabab3c3829fc5c811b1d3069a5d507b7cbaa |
C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
| MD5 | d8ecb462d3046a0ee172551c5d505c8e |
| SHA1 | 54f9e16b497579964e9afc90c3c0c208f16b4418 |
| SHA256 | afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f |
| SHA512 | 9eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e |
C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
| MD5 | 2dd856fd610de4ef190dc02bce097b73 |
| SHA1 | fceaa9f208ec87b296cb0989988d98ccee206c14 |
| SHA256 | 9764001c0b991b432e236f3dcd4bce60c92505decc02939b8096bbcbe6f43958 |
| SHA512 | ddd87d9012d4a9c59307f7b88cd6d2ec787d2977f4f9ec397a93b571d5a2efe5c8837dbbe51e23385f75c8ecf868f912c214a2c600497f266ec4b382ab7070c5 |
C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
| MD5 | ab68db6a238464a75b669938a3512ae1 |
| SHA1 | 48a7e2ed179d29d783d55fe610598474825bdf95 |
| SHA256 | 86bb9a397e62d756578dbe6c40cc07050f2066db6fb5d54499e03469a7cdccd5 |
| SHA512 | b811a8f5d3d2fab469a97a9a0d59d6b132b4fecbc7048dd203d25c938e7047b487e9a85799f8d9b04c0e01f307f3ff1bd0c3af967a8813c3ab0d72c69650364c |
C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
| MD5 | 7972b08246e568495d9d116fc2d0b159 |
| SHA1 | 3e12225494f08369858453fd9fc7481b4f788165 |
| SHA256 | 2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84 |
| SHA512 | f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7 |
memory/2664-103-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-121-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-137-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-145-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-160-0x0000000000670000-0x000000000084F000-memory.dmp
memory/976-168-0x0000000000510000-0x0000000000610000-memory.dmp
memory/2024-169-0x0000000000290000-0x0000000000390000-memory.dmp
memory/1744-161-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2664-152-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-141-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-133-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-128-0x0000000000670000-0x000000000084F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
| MD5 | 56c6aeb0a4efc6f2312f8337fdb77d10 |
| SHA1 | 28d9890a37b96c119fe2eeb3c5f48103e7468738 |
| SHA256 | 7fc4e6672e1aa983e1ed885f71bc3710309b5e5d487184434945cfd2fd763dd2 |
| SHA512 | f2e2d3f84327717a7cfd143bc0a23fe304d59deeb250eee07b5fc861fab26af3a5fc7a5058ec9a3d0d446e661b101655e6532cf4898f8af1f15ac0d0998cad00 |
memory/2340-176-0x0000000001150000-0x0000000001442000-memory.dmp
memory/2504-183-0x0000000001330000-0x0000000001368000-memory.dmp
memory/2084-181-0x0000000001160000-0x00000000011B4000-memory.dmp
memory/960-185-0x00000000010B0000-0x0000000001138000-memory.dmp
memory/2196-179-0x0000000000310000-0x000000000035A000-memory.dmp
memory/2664-111-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2664-107-0x0000000000670000-0x000000000084F000-memory.dmp
memory/2488-192-0x00000000002F0000-0x0000000000381000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2656-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2656-207-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2656-206-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/2780-236-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2340-246-0x0000000004F00000-0x00000000050A0000-memory.dmp
memory/2780-234-0x0000000000400000-0x0000000000657000-memory.dmp
memory/2780-232-0x0000000000400000-0x0000000000657000-memory.dmp
memory/1560-231-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1560-230-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1560-229-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1560-226-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2340-274-0x0000000005470000-0x000000000560E000-memory.dmp
memory/1560-224-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1560-222-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2812-275-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1560-220-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2812-219-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2812-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2812-216-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2812-214-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2812-212-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2812-210-0x0000000000400000-0x0000000000486000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2340-276-0x0000000000450000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4818.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar48F5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Tmp4A79.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 597fc57b8e02218b1471e7f63c54d12f |
| SHA1 | 6dcc7ad714752deafa3e11e39bc829839d713853 |
| SHA256 | 4337d5fc263a5915da5f22b35564f6b25f9a47f740908fbbd7a256111edba5a6 |
| SHA512 | b1de0ab069452bf953daefad3e28a775546acb7bd769dccb19cdb47f0ebe85263fc373f0f984ede6e8718b77f36142be01d569839178f8aabe88129ae157afbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 7fb5fa1534dcf77f2125b2403b30a0ee |
| SHA1 | 365d96812a69ac0a4611ea4b70a3f306576cc3ea |
| SHA256 | 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f |
| SHA512 | a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | aaa5656ebde7fc2d9987fb2d30a3411b |
| SHA1 | 7ce08cb33f17e42f1ea3a1e5c36c00e29313e7a7 |
| SHA256 | 78014e8477aa9c0973e84a7ae12098071f58492c479b117557c128667206e88c |
| SHA512 | b98a6f3fabdaca1f2129be8ea6a4df83e5b5a5228e53b2b846ddf8bf42df113559db90c8a5be7b05a1cd166f309b561c83edba8d7b5ddd367518a487679b9c2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66b4da8ae7cd3a69f847e5c45bea7a1b |
| SHA1 | b8620a8257078e0ee6b495485edcae3861ed3e4c |
| SHA256 | 5ed078547bde6344eedccc14798d86c2e37c846dcadcbf206f8f22159fe04bb9 |
| SHA512 | 3de840c81f8f873a00bc18c2735226a5713dca0ad784e0b534e1fb6c36c00bc7b3eca73d52571333d2453203d810f1bc92531c2a9c7b8298cb69d9112056587f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d9dec15dfbc0665b36c7e4b3ad9568b |
| SHA1 | 61cb4655163305064b8291ed9a75daa7ea2fd807 |
| SHA256 | 9c09b541860b4b24527945913a9abbeb0f4fa7ac351a1db9132d7b3ff561c4aa |
| SHA512 | 578b1a0c25c4cbef58cb31d9a4e99c40673433b1709fb9d8961a0db0a673e42fff591414aa083e1ff885e6db71c78bdc5afd523f6244966a6a115a672e8bc7eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 752ca4da5e54ec39a658b9097897635f |
| SHA1 | fafc0762bdddfe862acef7c3b6de17a242813132 |
| SHA256 | 6e27bb5f036a7e5c3499164e4f6f6e51adada013f049a469e28828bcd54c406d |
| SHA512 | e5f658cb0c26b649d32a318598de2c9fa0927f9c6f32da13dafb17e42b75ee07cd3e0581694c52de5926a4cc54311aef0da58a160c17351c8c6b7a3c79c45b4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6367443401adba8d66f0370a687b594 |
| SHA1 | fab4f9cc7815be5a700a49285aadc70b0bf1a8a8 |
| SHA256 | 27eb51f1e22b34c5f455d7d1fb76d656558708845a47a69c52fa606853acc282 |
| SHA512 | d86bc42968cc1a351317ac29638267854d06a0648269e5339665617b4c93261fcad1fe0adb39cd72e0f68ed943b5be59782f5c8264bbeba8fc9e4d9652a844e2 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2628-579-0x0000000000D10000-0x0000000000D5A000-memory.dmp
C:\Users\AdminCAFBGHIDBG.exe
| MD5 | 24b1ff1f8ba8c5e20613a652b7ddcafb |
| SHA1 | 48cb72e8fb1bb1d586ccde26de74154130d2b219 |
| SHA256 | c45735085c630196f711708160c78f204d8fa3fd36dc7c49cfc039442ae4c9d7 |
| SHA512 | d277a6a0830dabc5b7d535f3d84c948a70ae3fd9a16948b55ccd69340726390f6346c91098c0a48d8f40cb76a83299fcfccf92b59675f36692b8537bbd720c8c |
memory/2884-619-0x0000000001290000-0x00000000012E8000-memory.dmp