Malware Analysis Report

2024-10-23 16:20

Sample ID 240902-xw1exswgpf
Target Worship.zip
SHA256 dc71309d185aa1c39ae1ce97daab077bdb1f9ca1617e2fccd741d15a9be8648b
Tags
djvu lumma redline logsdiller cloud (tg: @logsdillabot) credential_access defense_evasion discovery evasion execution infostealer persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc71309d185aa1c39ae1ce97daab077bdb1f9ca1617e2fccd741d15a9be8648b

Threat Level: Known bad

The file Worship.zip was found to be: Known bad.

Malicious Activity Summary

djvu lumma redline logsdiller cloud (tg: @logsdillabot) credential_access defense_evasion discovery evasion execution infostealer persistence ransomware spyware stealer

Detected Djvu ransomware

RedLine

Djvu Ransomware

Lumma Stealer, LummaC

RedLine payload

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Power Settings

Looks up external IP address via web service

System Binary Proxy Execution: Verclsid

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies system certificate store

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 19:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 19:12

Reported

2024-09-02 19:18

Platform

win7-20240708-en

Max time kernel

298s

Max time network

299s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Worship.zip

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2e348701-bad8-4ce5-88bd-01049c8e5222\\cxr20XMewyeALwN4CoQgbAzd.exe\" --AutoStart" C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api64.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

System Binary Proxy Execution: Verclsid

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\verclsid.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2488 set thread context of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 960 set thread context of 2812 N/A C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2084 set thread context of 1560 N/A C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2196 set thread context of 2780 N/A C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2504 set thread context of 1540 N/A C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2340 set thread context of 2448 N/A C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
PID 2760 set thread context of 3048 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2628 set thread context of 2160 N/A C:\Users\AdminEBGDHJECFC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 set thread context of 2596 N/A C:\Users\AdminCAFBGHIDBG.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 set thread context of 2516 N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe C:\Windows\system32\conhost.exe
PID 1076 set thread context of 2572 N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe C:\Windows\system32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminCAFBGHIDBG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\AdminEBGDHJECFC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\Worship\Worship.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\Worship\Worship.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A
N/A N/A C:\ProgramData\xprfjygruytr\etzpikspwykg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A
N/A N/A C:\Users\Admin\Documents\Worship\Worship.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2776 wrote to memory of 2664 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\Worship\Worship.pif
PID 2664 wrote to memory of 2084 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
PID 2664 wrote to memory of 2084 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
PID 2664 wrote to memory of 2084 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
PID 2664 wrote to memory of 2084 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
PID 2664 wrote to memory of 2340 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe
PID 2664 wrote to memory of 976 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
PID 2664 wrote to memory of 976 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
PID 2664 wrote to memory of 976 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
PID 2664 wrote to memory of 976 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe
PID 2664 wrote to memory of 2504 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
PID 2664 wrote to memory of 2504 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
PID 2664 wrote to memory of 2504 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
PID 2664 wrote to memory of 2504 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe
PID 2664 wrote to memory of 2024 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
PID 2664 wrote to memory of 2024 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
PID 2664 wrote to memory of 2024 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
PID 2664 wrote to memory of 2024 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe
PID 2664 wrote to memory of 2196 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
PID 2664 wrote to memory of 2196 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
PID 2664 wrote to memory of 2196 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
PID 2664 wrote to memory of 2196 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 1744 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe
PID 2664 wrote to memory of 960 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
PID 2664 wrote to memory of 960 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
PID 2664 wrote to memory of 960 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
PID 2664 wrote to memory of 960 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe
PID 2664 wrote to memory of 1224 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
PID 2664 wrote to memory of 1224 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
PID 2664 wrote to memory of 1224 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
PID 2664 wrote to memory of 1224 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe
PID 2664 wrote to memory of 2488 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2664 wrote to memory of 2488 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2664 wrote to memory of 2488 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2664 wrote to memory of 2488 N/A C:\Users\Admin\Documents\Worship\Worship.pif C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 1744 wrote to memory of 896 N/A C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe
PID 2488 wrote to memory of 2656 N/A C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Worship.zip

C:\Windows\system32\verclsid.exe

"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

C:\Users\Admin\Documents\Worship\Worship.pif

"C:\Users\Admin\Documents\Worship\Worship.pif" C:\Users\Admin\DOCUME~1\Worship\y

C:\Users\Admin\Documents\Worship\Worship.pif

C:\Users\Admin\Documents\Worship\Worship.pif

C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe

C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe

C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe

C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe

C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe

C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe

C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe

C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe

C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe

C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe

C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe

C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe

C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe

C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe

C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe

C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe

C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe

C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp" /SL5="$50228,3518631,54272,C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe

"C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2e348701-bad8-4ce5-88bd-01049c8e5222" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

"C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

"C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBGDHJECFC.exe"

C:\Users\AdminEBGDHJECFC.exe

"C:\Users\AdminEBGDHJECFC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCAFBGHIDBG.exe"

C:\Users\AdminCAFBGHIDBG.exe

"C:\Users\AdminCAFBGHIDBG.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VIFLJRPW"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VIFLJRPW"

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\ProgramData\xprfjygruytr\etzpikspwykg.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe

svchost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\AFBKKFBAEGDH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 pxHPmOWWWZs.pxHPmOWWWZs udp
NL 62.133.61.172:80 62.133.61.172 tcp
US 8.8.8.8:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
US 173.231.16.77:443 api64.ipify.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
NL 62.133.61.172:80 62.133.61.172 tcp
US 8.8.8.8:53 240902180529931.tyr.zont16.com udp
US 8.8.8.8:53 file-link-iota.vercel.app udp
US 8.8.8.8:53 prodesarrolloapurimac.pe udp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 80.66.75.114:80 80.66.75.114 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
RU 176.111.174.109:80 176.111.174.109 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
CA 51.222.104.23:80 prodesarrolloapurimac.pe tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
CH 179.43.188.227:80 240902180529931.tyr.zont16.com tcp
US 76.76.21.164:80 file-link-iota.vercel.app tcp
US 76.76.21.164:443 file-link-iota.vercel.app tcp
US 76.76.21.164:443 file-link-iota.vercel.app tcp
US 76.76.21.164:443 file-link-iota.vercel.app tcp
US 76.76.21.164:443 file-link-iota.vercel.app tcp
CA 51.222.104.23:443 prodesarrolloapurimac.pe tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 c.pki.goog udp
NL 149.154.167.99:443 t.me tcp
GB 216.58.201.99:80 c.pki.goog tcp
NL 149.154.167.99:443 t.me tcp
DE 77.105.164.24:50505 tcp
CZ 46.8.231.109:80 46.8.231.109 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.247.162:443 steamcommunity.com tcp
DE 116.203.6.46:443 116.203.6.46 tcp
US 172.67.139.220:443 api.2ip.ua tcp
DE 147.45.47.36:30035 tcp
US 8.8.8.8:53 cajgtus.com udp
DE 116.203.6.46:443 116.203.6.46 tcp
KR 125.7.253.10:80 cajgtus.com tcp
DE 116.203.6.46:443 116.203.6.46 tcp
FI 95.216.107.53:12311 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
CH 147.45.44.104:80 147.45.44.104 tcp
DE 116.203.6.46:443 116.203.6.46 tcp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
DE 116.203.6.46:443 116.203.6.46 tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 188.114.97.0:443 locatedblsoqp.shop tcp
DE 116.203.6.46:443 116.203.6.46 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:443 pool.hashvault.pro tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.247.162:443 steamcommunity.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 gacan.zapto.org udp
RU 45.132.206.251:80 gacan.zapto.org tcp

Files

memory/2776-0-0x0000000076FA0000-0x0000000077076000-memory.dmp

memory/2776-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/2664-2-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-3-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-4-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-7-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-12-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-5-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-6-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-13-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-17-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-16-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-15-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-14-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-11-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-10-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-9-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-8-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-21-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-22-0x0000000000670000-0x000000000084F000-memory.dmp

C:\Users\Admin\Documents\iofolko5\VV_22__2DLz8ViM1jrF_R6iL.exe

MD5 8e0ae87939388dfd7d6470bdd397b309
SHA1 3af328c5c81fe77ab5d74cc97866e03490e5d080
SHA256 5ed77020f0296739fb5b4ef5133bbdd84a0c8f69ac71cec490343b26dd066c4d
SHA512 d3cfb86296b49744ac9a89b6a4a402e44a3d65c137a4a1f814c698001a2c609f0c7ce9fadd483511f6ec43811a5f81bd145dd1899be728ed3d7a9b3e0bf9a756

C:\Users\Admin\Documents\iofolko5\xVgYPV_K4LUHOzKuQoDbXikQ.exe

MD5 8cb57865f3a9a465a2b06c7cfad880d8
SHA1 27ec8d1902fbbf1035a60d2d58436f759e02f50f
SHA256 4cbe05e05abdc4e781d990fe7addeae545ee9b598ea5620a8b2f8de4a2d1e3dc
SHA512 6832766a41f8bbde588d9d55c250c3090646b11d5cad45fcb5c22e37a29d424e8680657064b4ebbfa250f4fef50118496451c6ce819db0ecda7f21f723df4bc8

C:\Users\Admin\Documents\iofolko5\h2PXVUpO7VPPDpwHJlB_xBgz.exe

MD5 f88b5bbdd03e0467d18e6f436ab2683c
SHA1 dd9300fc17bfd44c08e5995ebc772a6d3d32170d
SHA256 507c4f043a45ee6897ef1ceedbc1df125afd88c5a850a61b8a62d2d3a81a8d21
SHA512 c7c0cf8f07d916af26f797dce7ddc9b501265ce61d356753b37c377e8e796ee3e0798923da6013ac29c3f90ae0db1b7483eff911364b0ff0ee946a612c738590

C:\Users\Admin\Documents\iofolko5\etZM4gVUuzTcVn5cNb9lQsv7.exe

MD5 9d1e5520a634731ed9747be9e9af7c5d
SHA1 6bc547c7e26073f71be0017e29c8702ddea2fc11
SHA256 90c0395f668f198d1aed010aaabbdab7c7f78b5a8c90072f4a2225683ebaac36
SHA512 3cc597e4b451252361707740fe58ea18ff8734a9adad48458760518d1828beb55bd0ddb080daf7c1a29cda462b7cabab3c3829fc5c811b1d3069a5d507b7cbaa

C:\Users\Admin\Documents\iofolko5\jq6xYRjzX_hXFXec5SaVIZIM.exe

MD5 d8ecb462d3046a0ee172551c5d505c8e
SHA1 54f9e16b497579964e9afc90c3c0c208f16b4418
SHA256 afb9edbf499a4726d798cda9f0f372b4b1019033b68d5eb87a8a83ecb7463d6f
SHA512 9eed44c24a71b44e90efc853b75d2103faa3f8518e1efad45c8c4733ee0396c51e8ea11ba6e7d2ac4f30234e6380c3325227cced8d1753373581eb45073c012e

C:\Users\Admin\Documents\iofolko5\ilV6EjsxgVOJNFHFQBfEzPHa.exe

MD5 2dd856fd610de4ef190dc02bce097b73
SHA1 fceaa9f208ec87b296cb0989988d98ccee206c14
SHA256 9764001c0b991b432e236f3dcd4bce60c92505decc02939b8096bbcbe6f43958
SHA512 ddd87d9012d4a9c59307f7b88cd6d2ec787d2977f4f9ec397a93b571d5a2efe5c8837dbbe51e23385f75c8ecf868f912c214a2c600497f266ec4b382ab7070c5

C:\Users\Admin\Documents\iofolko5\eruy1u628ynibrJHWsmyxp6E.exe

MD5 d4ac1a0d0504ab9a127defa511df833e
SHA1 9254864b6917eba6d4d4616ac2564f192626668b
SHA256 a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
SHA512 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5

C:\Users\Admin\Documents\iofolko5\OmTpmUm9O4I7wa71Z1lUcWVa.exe

MD5 025ebe0a476fe1a27749e6da0eea724f
SHA1 fe844380280463b927b9368f9eace55eb97baab7
SHA256 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA512 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799

C:\Users\Admin\Documents\iofolko5\JyqIGlqdhrNdXxdhVmHXzcwY.exe

MD5 ab68db6a238464a75b669938a3512ae1
SHA1 48a7e2ed179d29d783d55fe610598474825bdf95
SHA256 86bb9a397e62d756578dbe6c40cc07050f2066db6fb5d54499e03469a7cdccd5
SHA512 b811a8f5d3d2fab469a97a9a0d59d6b132b4fecbc7048dd203d25c938e7047b487e9a85799f8d9b04c0e01f307f3ff1bd0c3af967a8813c3ab0d72c69650364c

C:\Users\Admin\Documents\iofolko5\cxr20XMewyeALwN4CoQgbAzd.exe

MD5 7972b08246e568495d9d116fc2d0b159
SHA1 3e12225494f08369858453fd9fc7481b4f788165
SHA256 2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
SHA512 f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7

memory/2664-103-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-121-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-137-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-145-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-160-0x0000000000670000-0x000000000084F000-memory.dmp

memory/976-168-0x0000000000510000-0x0000000000610000-memory.dmp

memory/2024-169-0x0000000000290000-0x0000000000390000-memory.dmp

memory/1744-161-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2664-152-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-141-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-133-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-128-0x0000000000670000-0x000000000084F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LASPI.tmp\ilV6EjsxgVOJNFHFQBfEzPHa.tmp

MD5 56c6aeb0a4efc6f2312f8337fdb77d10
SHA1 28d9890a37b96c119fe2eeb3c5f48103e7468738
SHA256 7fc4e6672e1aa983e1ed885f71bc3710309b5e5d487184434945cfd2fd763dd2
SHA512 f2e2d3f84327717a7cfd143bc0a23fe304d59deeb250eee07b5fc861fab26af3a5fc7a5058ec9a3d0d446e661b101655e6532cf4898f8af1f15ac0d0998cad00

memory/2340-176-0x0000000001150000-0x0000000001442000-memory.dmp

memory/2504-183-0x0000000001330000-0x0000000001368000-memory.dmp

memory/2084-181-0x0000000001160000-0x00000000011B4000-memory.dmp

memory/960-185-0x00000000010B0000-0x0000000001138000-memory.dmp

memory/2196-179-0x0000000000310000-0x000000000035A000-memory.dmp

memory/2664-111-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2664-107-0x0000000000670000-0x000000000084F000-memory.dmp

memory/2488-192-0x00000000002F0000-0x0000000000381000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2656-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2656-207-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2656-206-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2780-236-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2340-246-0x0000000004F00000-0x00000000050A0000-memory.dmp

memory/2780-234-0x0000000000400000-0x0000000000657000-memory.dmp

memory/2780-232-0x0000000000400000-0x0000000000657000-memory.dmp

memory/1560-231-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1560-230-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1560-229-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1560-226-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2340-274-0x0000000005470000-0x000000000560E000-memory.dmp

memory/1560-224-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1560-222-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-275-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1560-220-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2812-219-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2812-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2812-216-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2812-214-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2812-212-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2812-210-0x0000000000400000-0x0000000000486000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AGBF7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2340-276-0x0000000000450000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4818.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar48F5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Tmp4A79.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 597fc57b8e02218b1471e7f63c54d12f
SHA1 6dcc7ad714752deafa3e11e39bc829839d713853
SHA256 4337d5fc263a5915da5f22b35564f6b25f9a47f740908fbbd7a256111edba5a6
SHA512 b1de0ab069452bf953daefad3e28a775546acb7bd769dccb19cdb47f0ebe85263fc373f0f984ede6e8718b77f36142be01d569839178f8aabe88129ae157afbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 aaa5656ebde7fc2d9987fb2d30a3411b
SHA1 7ce08cb33f17e42f1ea3a1e5c36c00e29313e7a7
SHA256 78014e8477aa9c0973e84a7ae12098071f58492c479b117557c128667206e88c
SHA512 b98a6f3fabdaca1f2129be8ea6a4df83e5b5a5228e53b2b846ddf8bf42df113559db90c8a5be7b05a1cd166f309b561c83edba8d7b5ddd367518a487679b9c2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66b4da8ae7cd3a69f847e5c45bea7a1b
SHA1 b8620a8257078e0ee6b495485edcae3861ed3e4c
SHA256 5ed078547bde6344eedccc14798d86c2e37c846dcadcbf206f8f22159fe04bb9
SHA512 3de840c81f8f873a00bc18c2735226a5713dca0ad784e0b534e1fb6c36c00bc7b3eca73d52571333d2453203d810f1bc92531c2a9c7b8298cb69d9112056587f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d9dec15dfbc0665b36c7e4b3ad9568b
SHA1 61cb4655163305064b8291ed9a75daa7ea2fd807
SHA256 9c09b541860b4b24527945913a9abbeb0f4fa7ac351a1db9132d7b3ff561c4aa
SHA512 578b1a0c25c4cbef58cb31d9a4e99c40673433b1709fb9d8961a0db0a673e42fff591414aa083e1ff885e6db71c78bdc5afd523f6244966a6a115a672e8bc7eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 752ca4da5e54ec39a658b9097897635f
SHA1 fafc0762bdddfe862acef7c3b6de17a242813132
SHA256 6e27bb5f036a7e5c3499164e4f6f6e51adada013f049a469e28828bcd54c406d
SHA512 e5f658cb0c26b649d32a318598de2c9fa0927f9c6f32da13dafb17e42b75ee07cd3e0581694c52de5926a4cc54311aef0da58a160c17351c8c6b7a3c79c45b4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6367443401adba8d66f0370a687b594
SHA1 fab4f9cc7815be5a700a49285aadc70b0bf1a8a8
SHA256 27eb51f1e22b34c5f455d7d1fb76d656558708845a47a69c52fa606853acc282
SHA512 d86bc42968cc1a351317ac29638267854d06a0648269e5339665617b4c93261fcad1fe0adb39cd72e0f68ed943b5be59782f5c8264bbeba8fc9e4d9652a844e2

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2628-579-0x0000000000D10000-0x0000000000D5A000-memory.dmp

C:\Users\AdminCAFBGHIDBG.exe

MD5 24b1ff1f8ba8c5e20613a652b7ddcafb
SHA1 48cb72e8fb1bb1d586ccde26de74154130d2b219
SHA256 c45735085c630196f711708160c78f204d8fa3fd36dc7c49cfc039442ae4c9d7
SHA512 d277a6a0830dabc5b7d535f3d84c948a70ae3fd9a16948b55ccd69340726390f6346c91098c0a48d8f40cb76a83299fcfccf92b59675f36692b8537bbd720c8c

memory/2884-619-0x0000000001290000-0x00000000012E8000-memory.dmp